Configuration Changes In Fips Mode; Exiting Fips Mode - HPE FlexFabric 7900 Series Security Configuration Manual
Hide thumbs
Also See for FlexFabric 7900 Series:
- Layer 3 ip routing command reference (414 pages) ,
- Security configuration manual (323 pages) ,
- Security command reference (320 pages)
Table of Contents
Advertisement
8.
Save the configuration file and specify it as the startup configuration file.
9.
Delete the startup configuration file in binary format (an .mdb file).
10. Reboot the device.
The system enters FIPS mode. You can use the configured username and password to log in to
the device in FIPS mode.
To enable FIPS mode:
Step
1.
Enter system view.
2.
Enable FIPS mode.
Configuration changes in FIPS mode
When the system enters FIPS mode, the following system changes occur:
•
The user login authentication mode can only be scheme.
•
The FTP/TFTP server and client are disabled.
•
The Telnet server and client are disabled.
•
SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
•
The SSH server does not support SSHv1 clients and DSA key pairs.
•
The generated RSA and DSA key pairs must have a modulus length of 2048 bits.
When the device acts as a server to authenticate a client through the public key, the key pair for
the client must also have a modulus length of 2048 bits.
•
SSH, SNMPv3, and IPsec do not support DES, 3DES, RC4, and MD5.
•
The password control function cannot be disabled globally. The undo password-control
enable command does not take effect.
•
The keys must contain at least 15 characters and 4 character types of uppercase and
lowercase letters, digits, and special characters. This requirement applies to the following
passwords:
AAA server's shared key.
IKE pre-shared key.
SNMPv3 authentication key.
The password for a device management local user and password for switching user roles
depend on password control policies. By default, the passwords must contain at least 15
characters and 4 character types of uppercase and lowercase letters, digits, and special
characters.
Exiting FIPS mode
After you disable FIPS mode and reboot the device, the device operates in non-FIPS mode. The
non-FIPS device does not have the security requirements of FIPS mode, and does not perform
self-tests on cryptography modules.
The system provides two methods to exit FIPS mode: automatic reboot and manual reboot.
Automatic reboot
Select the automatic reboot method. The system automatically creates a default non-FIPS
configuration file named non-fips-startup.cfg, and specifies the file as the startup configuration file.
Command
system-view
fips mode enable
208
Remarks
N/A
By default, the FIPS mode is
disabled.
Advertisement
Table of Contents
Troubleshooting
