Configuring Fips; Overview; Configuration Restrictions And Guidelines - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
Configuring FIPS
Overview
Federal Information Processing Standards (FIPS) was developed by the National Institute of
Standards and Technology (NIST) of the United States. FIPS specifies the requirements for
cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from
low to high. The device supports Level 2.
Unless otherwise noted, in this document the term FIPS refers to FIPS 140-2.
Configuration restrictions and guidelines
When you configure FIPS, follow these restrictions and guidelines:
•
After the fips mode enable command is executed, the system prompts you to choose a reboot
method. If you do not make a choice within 30 seconds, the system uses the manual reboot
method.
•
Before you reboot the device to enter FIPS mode, the system automatically removes all key
pairs configured in non-FIPS mode and all FIPS-incompliant digital certificates.
FIPS-incompliant digital certificates are MD5-based certificates with the modulus length of key
pairs less than 2048 bits. You cannot log in to the device through SSH after the device enters
FIPS mode. To log in to the device in FIPS mode through SSH, first log in to the device through
a console port, and then create a key pair for the SSH server.
•
The password for entering the device in FIPS mode must comply with the password control
policies, such as password length, complexity, and aging policy. When the aging timer for a
password expires, the system prompts you to change the password. If you adjust the system
time after the device enters FIPS mode, the login password might expire before the next login,
because the original system time is typically much earlier than the actual time.
If you choose the automatic reboot method, set the system time before executing the fips
mode enable command.
If you choose the manual reboot method, set the system time before configuring the local
username and password.
•
To use the manual reboot method, you must perform the following tasks:
a. Save the current configuration file.
b. Specify the current configuration file as the startup configuration file.
c. Delete the startup configuration file in binary format.
d. Reboot the device.
Otherwise, the commands that are not supported by FIPS mode, if they are in the configuration
file, might be restored.
•
The system enters an intermediate state between when the fips mode enable command is
executed and when the system is rebooted. If you choose the manual reboot method, do not
execute any commands except for the following commands:
reboot.
save.
Other commands used for configuration preparation to enter FIPS mode.
•
Configuration rollback is supported in FIPS mode and also during a switch between FIPS mode
and non-FIPS mode. After a configuration rollback between FIPS mode and non-FIPS mode,
perform the following tasks:
458
Advertisement
Table of Contents
Troubleshooting
