R3303-HP HSR6800 Routers Security Command Reference
498
1. Enable FIPS mode.
2. Enable the password control function.
3. Configure the username and password to log in to the device in FIPS mode. The password must
include at least 10 characters and must contain uppercase and lowercase letters, digits, and
special characters.
4. Delete all MD5-based digital certificates.
5. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
6. Save the configuration.
After you enable FIPS mode and reboot the device, the following changes occur:
• The FTP/TFTP server is disabled.
• The Telnet server is disabled.
• The HTTP server is disabled.
• SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
• The SSL server only supports TLS1.0.
• The SSH server does not support SSHv1 clients.
• Generated RSA/DSA key pairs have a modulus length from 1024 to 2048 bits.
• SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5.
Examples
# Enable FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue?[Y/N]:y
Modify the configuration to be fully compliant with FIPS mode, save the configuration to
the next-startup configuration file, and then reboot to enter FIPS mode.
# Disable FIPS mode.
<Sysname> system-view
[Sysname] undo fips mode enable
FIPS mode change requires a device reboot. Continue?[Y/N]:y
Modify the configuration to be fully compliant with FIPS mode, save the configuration to
the next-startup configuration file, and then reboot to enter non-FIPS mode.
Related commands
display fips status
fips self-test
Use fips self-test to trigger a self-test on the cryptographic algorithms.
Syntax
fips self-test
Views
System view