Conditional self-tests
A conditional self-test runs when an asymmetrical cryptographic module or a random number generator
module is invoked. Conditional self-tests include the following types:
•
Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It
uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If
the decryption is successful, the test succeeds. Otherwise, the test fails.
Continuous random number generator test—This test is run when a random number is generated.
•
If two consecutive random numbers are different, the test succeeds. Otherwise, the test fails. This test
can also be run when a DSA/RSA asymmetrical key-pair is generated.
Triggering self-tests
To examine whether the cryptography modules operate correctly, you can trigger a self-test on the
cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails,
the device reboots.
To trigger a self-test:
Step
1.
Enter system view.
2.
Trigger a self-test.
Displaying and maintaining FIPS
Execute the display command in any view.
Task
Display the FIPS mode state.
FIPS configuration examples
Entering FIPS mode through automatic reboot
Network requirements
Use the automatic reboot method to enter FIPS mode, and use a console/AUX/Async port to log in to the
device in FIPS mode.
Configuration procedure
# If you want to save the current configuration, execute the save command before you enable FIPS mode.
# Enable FIPS mode and choose the automatic reboot method to enter FIPS mode. Configure the
username as root and the password as 12345zxcvb!@#$%ZXCVB.
<Sysname> system-view
Command
system-view
fips self-test
Command
display fips status
343