Configuration Changes In Fips Mode; Exiting Fips Mode - HP VSR1000 Security Configuration Manual

9. Delete the startup configuration file in binary format (an .mdb file).
10. Reboot the device.
The system enters in FIPS mode. You can use the configured username and password to log in to
the device in FIPS mode.
To enable FIPS mode:
Step
1. Enter system view.
2. Enable FIPS mode.

Configuration changes in FIPS mode

When the system enters FIPS mode, the following changes occur:
The user login authentication mode can only be scheme.
•
The FTP/TFTP server and client are disabled.
•
• The Telnet server and client are disabled.
The HTTP server is disabled.
•
SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
•
• The SSL server only supports TLS1.0.
The SSH server does not support SSHv1 clients and DSA key pairs.
•
The generated RSA and DSA key pairs must have a modulus length of 2048 bits.
•
When the device acts as a server to authenticate a client through public keys, the key pairs for the
client must also have a modulus length of 2048 bits.
SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, and MD5.
•
• The password control function cannot be disabled globally. The undo password control enable
command does not take effect.
The keys must contain at least 15 characters and 4 compositions of uppercase and lowercase letters,
•
digits, and special characters. This requirement applies to the following passwords (the last two
passwords are for password control):
AAA server's shared key
IKE per-shared key
SNMPv3 authentication key
Password for a device management local user
Password for switching user roles

Exiting FIPS mode

After you disable FIPS mode and reboot the device, the device operates in non-FIPS mode, which does
not have the security requirements of FIPS mode, and does not perform self-tests on cryptography
modules.
The system provides two methods to exit FIPS mode: automatic reboot and manual reboot.
Command
system-view
fips mode enable
338
Remarks
N/A
By default, the FIPS mode is
disabled.