S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Follow these guidelines before enabling FIPS mode.
Enabling FIPS Mode
To enable FIPS mode, follow these steps:
switch# config t
switch(config)# fips mode enable
switch(config)# no fips mode enable
Checking for FIPS Status
To view FIPS status, enter the show fips status command.
A cryptographic module must perform power-up self-tests and conditional self-tests to ensure that it is
FIPS power-up self-tests automatically run when FIPS mode is enabledby entering the fips mode enable
command. A switch is in FIPS mode only after all self-tests are successfully completed. If any of the
self-tests fail, then the switch is rebooted.
Power-up self-tests run immediately after FIPS mode is enabled. A cryptographic algorithm test using a
known answer must be run for all cryptographic functions for each FIPS 140-2-approved cryptographic
algorithm implemented on the Cisco MDS 9000 Family.
Using a known-answer test (KAT), a cryptographic algorithm is run on data for which the correct output
is already known, and then the calculated output is compared to the previously generated output. If the
calculated output does not equal the known answer, the known-answer test fails.
Cisco MDS 9000 Family CLI Configuration Guide
Make your passwords a minimum of eight characters in length.
Disable Telnet. Users should log in using SSH only.
Disable remote authentication through RADIUS/TACACS+. Only users local to the switch can be
Disable SNMP v1 and v2. Any existing user accounts on the switch that have been configured for
SNMPv3 should be configured only with SHA for authentication and AES/3DES for privacy.
Delete all IKE policies that either have MD5 for authentication or DES for encryption. Modify the
policies so they use SHA for authentication and 3DES/AES for encryption.
Delete all SSH Server RSA1 key-pairs.
Enters configuration mode.
Enables FIPS mode.
Disables FIPS mode.
OL-16184-01, Cisco MDS SAN-OS Release 3.x