Fips Self-Test - HP HSR6600 Command Reference Manual

1. Enable FIPS mode.
2. Enable the password control function.
3. Configure the username and password to log in to the device in FIPS mode. The password must
comprise at least 10 characters and must contain uppercase and lowercase letters, digits, and
special characters.
4. Delete all MD5-based digital certificates.
5. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
6. Save the configuration.
After you enable FIPS mode and reboot the device, the following changes occur:
The FTP/TFTP server is disabled.
•
The Telnet server is disabled.
•
The HTTP server is disabled.
•
SNMP v1 and SNMP v2c are disabled. Only SNMP v3 is available.
•
• The SSL server only supports TLS1.0.
The SSH server does not support SSHv1 clients.
•
Generated RSA/DSA key pairs have a modulus length from 1024 to 2048 bits.
•
• SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5.
Examples
# Enable FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue?[Y/N]:y
Modify the configuration to be fully compliant with FIPS mode, save the configuration to
the next-startup configuration file, and then reboot to enter FIPS mode.
# Disable FIPS mode.
<Sysname> system-view
[Sysname] undo fips mode enable
FIPS mode change requires a device reboot. Continue?[Y/N]:y
Modify the configuration to be fully compliant with FIPS mode, save the configuration to
the next-startup configuration file, and then reboot to enter non-FIPS mode.
Related commands
display fips status

fips self-test

Use fips self-test to trigger a self-test on the cryptographic algorithms.
Syntax
fips self-test
Views
System view
518