474
3.
Configure the username and password to log in to the device in FIPS mode. The password
must include at least 10 characters and must contain uppercase and lowercase letters, digits,
and special characters.
4.
Delete all MD5-based digital certificates.
5.
Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key
pairs.
6.
Save the configuration.
After you enable FIPS mode and reboot the device, the following changes occur:
•
The FTP/TFTP server is disabled.
•
The Telnet server is disabled.
•
The HTTP server is disabled.
•
SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
•
The SSH server does not support SSHv1 clients.
•
Generated RSA/DSA key pairs have a modulus length from 1024 to 2048 bits.
•
SSH, SNMPv3, and IPsec do not support DES, RC4, or MD5.
Examples
# Enable FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue?[Y/N]:y
Modify the configuration to be fully compliant with FIPS mode, save the configuration to
the next-startup configuration file, and then reboot to enter FIPS mode.
# Disable FIPS mode.
<Sysname> system-view
[Sysname] undo fips mode enable
FIPS mode change requires a device reboot. Continue?[Y/N]:y
Modify the configuration to be fully compliant with FIPS mode, save the configuration to
the next-startup configuration file, and then reboot to enter non-FIPS mode.
Related commands
display fips status
fips self-test
Use
fips self-test
to trigger a self-test on the cryptographic algorithms.
Syntax
fips self-test
Views
System view
Default command Level
3: Manage level
Usage guidelines
To examine whether the cryptography modules operate correctly, you can use this command to
trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the
power-up self-test.