SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5.
•
Configuration considerations
To enter the FIPS mode, follow these steps:
1.
Enable FIPS mode.
2.
Enable the password control function.
3.
Configure the username and password to log in to the device in FIPS mode. The password must
comprise at least 10 characters and must contain uppercase and lowercase letters, digits, and
special characters.
4.
Delete all MD5-based digital certificates.
5.
Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
6.
Save the configuration.
Enabling FIPS mode
Follow these guidelines when you configure FIPS mode:
If you need to enable both FIPS mode and the password control function, enable FIPS mode first.
•
If you need to disable both FIPS mode and the password control function, disable password control
•
first.
After FIPS mode is enabled, delete the FIPS 140-2-incompliant local user service type Telnet, HTTP,
•
or FTP before you reboot the device.
Step
1.
Enter system view.
2.
Enable FIPS mode.
Displaying and maintaining FIPS
Task
Display FIPS mode state.
FIPS configuration example
Network requirements
As shown in
FIPS mode and create a local user for Host so that Host can log in to the router.
Command
system-view
fips mode enable
Figure
261, Host connects to Router through a console port. Configure Router to operate in
Command
display fips status
536
Remarks
N/A
By default, the FIPS mode is
disabled.
Remarks
Available in any view.