439
characters and 4 character types of uppercase and lowercase letters, digits, and special
characters.
Exiting FIPS mode
After you disable FIPS mode and reboot the device, the device operates in non-FIPS mode.
The system provides two methods to exit FIPS mode: automatic reboot and manual reboot.
Automatic reboot
Select the automatic reboot method. The system automatically creates a default non-FIPS
configuration file named
non-fips-startup.cfg
, and specifies the file as the startup configuration file.
The system reboots the device by using the default non-FIPS configuration file. After the reboot, you
are directly logged into the device.
Manual reboot
This method requires that you manually complete the configurations for entering non-FIPS mode,
and then reboot the device. To log in to the device after the reboot, you must enter user information
according to the authentication mode. The following default authentication modes are available for
different ports or lines (you can modify the default mode as needed):
•
The default authentication mode is
password
for VTY lines.
•
The default authentication mode is
none
for a console port.
After you disable FIPS mode, follow these restrictions and guidelines before you manually reboot the
device:
•
If you are logged into the device through Telnet, perform the following tasks without exiting the
current user line:
{
Set the authentication mode to
scheme
.
{
Configure the username and password. (You can also use the current username and
password.)
•
If you are logged into the device through a console port, configure one of the following
authentication modes as needed:
{
Configure the
password
authentication mode and a password.
{
Configure the
scheme
authentication mode and configure a new username and password
(you can also use the current username and password).
{
Configure the
none
authentication mode.
To disable FIPS mode:
Step Command Remarks
1.
Enter system view.
system-view
N/A
2.
Disable FIPS mode.
undo fips mode enable
By default, the FIPS mode is
disabled.
FIPS self-tests
To ensure the correct operation of cryptography modules, FIPS provides self-test mechanisms,
including power-up self-test and conditional self-test. You can also trigger a self-test. If the power-up
self-test fails, the device where the self-test process exists reboots. If the conditional self-test fails,
the system outputs self-test failure information.