Fips Self-Tests - Cisco MDS 9000 Series Configuration Manual

Enabling FIPS Mode
Enabling FIPS Mode
To enable FIPS mode, follow these steps:
Procedure
Step 1
Step 2
Step 3
Displaying FIPS Status
To view FIPS status, enter the show fips status command.

FIPS Self-Tests

A cryptographic module must perform power-up self-tests and conditional self-tests to ensure that it is
functional.
Note
FIPS power-up self-tests automatically run when FIPS mode is enabled by entering the fips mode enable
command. A switch is in FIPS mode only after all self-tests are successfully completed. If any of the self-tests
fail, then the switch is rebooted.
Power-up self-tests run immediately after FIPS mode is enabled. A cryptographic algorithm test using a known
answer must be run for all cryptographic functions for each FIPS 140-2-approved cryptographic algorithm
implemented on the Cisco MDS 9000 Family.
Using a known-answer test (KAT), a cryptographic algorithm is run on data for which the correct output is
already known, and then the calculated output is compared to the previously generated output. If the calculated
output does not equal the known answer, the known-answer test fails.
Conditional self-tests must be run when an applicable security function or operation is invoked. Unlike the
power-up self-tests, conditional self-tests are executed each time their associated function is accessed.
Conditional self-tests include the following:
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
8
Command or Action
configure terminal
Example:
switch# configure terminal
fips mode enable
Example:
switch(config)# fips mode enable
no fips mode enable
Example:
switch(config)# no fips mode enable
Purpose
Enters configuration mode.
Enables FIPS mode.
(Optional) Disables FIPS mode.
Configuring FIPS