R3303-HP HSR6800 Routers Security Configuration Guide

• Generated RSA/DSA key pairs have a modulus length from 1024 to 2048 bits.

• SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5.

Configuration considerations

To enter the FIPS mode, follow these steps:

1. Enable FIPS mode.

2. Enable the password control function.

3. Configure the username and password to log in to the device in FIPS mode. The password must

comprise at least 10 characters and must contain uppercase and lowercase letters, digits, and

special characters.

4. Delete all MD5-based digital certificates.

5. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.

6. Save the configuration.

Enabling FIPS mode

Follow these guidelines when you configure FIPS mode:

Before the device that is enabled with the fips mode enable command reboots, HP recommends not

executing any commands except the reboot command and save command.

• If you need to enable both FIPS mode and the password control function, enable FIPS mode first.

• If you need to disable both FIPS mode and the password control function, disable password control

first.

• After FIPS mode is enabled, delete the FIPS 140-2-incompliant local user service type Telnet, HTTP,

or FTP before you reboot the device.

To enable FIPS mode:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enable FIPS mode.

fips mode enable

By default, the FIPS mode is

disabled.

Displaying and maintaining FIPS

Execute the display command in any view.

Task Command Remarks

Display FIPS mode state. display fips status Available in any view.