Configuration Changes In Fips Mode - HP FlexFabric 5700 Series Security Configuration Manual

The system automatically uses the startup configuration file to reboot the device and enter FIPS
mode. You can only use the configured username and password to log in to the FIPS device. After
login, you are assigned the role of security administrator Crypto Officer.
Manual reboot
To use manual reboot to enter FIPS mode:
1. Enable the password control feature globally.
2. Set the number of character types a password must contain to 4, and set the minimum number of
characters for each type to one character.
3. Set the minimum length of user passwords to 15 characters.
4. Add a local user account for device management, including the following items:
A username.
A password that complies with the password control policies in step
A user role of network-admin.
A service type of terminal.
5. Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP.
6. Enable FIPS mode.
7. Select the manual reboot method.
8. Save the configuration file and specify it as the startup configuration file.
9. Delete the startup configuration file in binary format (an .mdb file).
10. Reboot the device.
The system enters FIPS mode. You can use the configured username and password to log in to the
device in FIPS mode.
To enable FIPS mode:
Step
1. Enter system view.
2. Enable FIPS mode.

Configuration changes in FIPS mode

When the system enters FIPS mode, the following changes occur:
• The user login authentication mode can only be scheme.
The FTP/TFTP server and client are disabled.
•
The Telnet server and client are disabled.
•
• The HTTP server is disabled.
SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
•
The SSL server only supports TLS1.0.
•
The SSH server does not support SSHv1 clients and DSA key pairs.
•
The generated RSA and DSA key pairs must have a modulus length of 2048 bits.
•
Command
system-view
fips mode enable
386
2 and step 3.
Remarks
N/A
By default, the FIPS mode is
disabled.