664
After you execute the
fips mode enable
command, the system provides the following methods to
enter FIPS mode:
•
Automatic reboot
Select the automatic reboot method. The system automatically performs the following tasks:
a.
Create a default FIPS configuration file named
fips-startup.cfg
.
b.
Specify the default file as the startup configuration file.
c.
Require you to configure the username and password for next login.
You can press
Ctrl+C
to exit the configuring process so the
fips mode enable
command will
not be executed.
The system automatically uses the specified startup configuration file to reboot the device after
you configure the administrator's username and password.
•
Manual reboot
This method requires that you manually complete the configurations for entering FIPS mode,
and then reboot the device.
To use manual reboot to enter FIPS mode:
d.
Enable the password control feature globally.
e.
Set the number of character types a password must contain to 4, and set the minimum
number of characters for each type to one character.
f.
Set the minimum length of user passwords to 15 characters.
g.
Add a local user account for device management, including the following items:
−
A username.
−
A password that must comply with the password control policies.
−
A user role of
network-admin
or
mdc-admin
.
−
A service type of
terminal
.
h.
Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP.
i.
Save the configuration file and specify it as the startup configuration file.
j.
Delete the original startup configuration file in binary format.
k.
Reboot the device.
After the
fips mode enable
command is executed, the system prompts you to choose a reboot
method. If you do not make a choice within 30 seconds, the system uses the manual reboot method
by default.
After the
undo fips mode enable
command is executed, the system provides the following methods
to exit FIPS mode:
•
Automatic reboot
Select the automatic reboot method. The system automatically creates a default non-FIPS
configuration file named
non-fips-startup.cfg
, and specifies the file as the startup
configuration file. The system reboots the device by using the default non-FIPS configuration
file. After the reboot, you are directly logged into the device.
•
Manual reboot
This method requires that you manually complete the configurations for entering non-FIPS
mode, and then reboot the device. After the device reboots, you must enter user information
according to the authentication mode to log in to the device.
Examples
# Enable FIPS mode, and choose the automatic reboot method to enter FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue? [Y/N]:y