R21xx-HP FlexFabric 11900 Security Configuration Guide
146
method, HP recommends that you set the accurate system time before configuring the local
username and password.
• If you choose the manual reboot method to enter FIPS mode, after you save the current configuration
file and specify it as the next startup configuration file, delete the next startup configuration file in
binary notation, and reboot the device. Otherwise, the unsupported commands in FIPS mode, if
they are in the configuration file, are restored.
• The system enters the intermediate state for FIPS mode after the fips mode enable command is
executed and before the reboot. If you choose the manual reboot method, HP recommends not
executing any commands except the reboot command, the save command, and related
configuration commands.
• To switch to non-FIPS mode, execute the undo fips mode enable command in system view, save the
configuration, and reboot the device.
• Configuration rollback is supported in configurations of the FIPS mode and configurations between
the FIPS mode and non-FIPS mode. After configuration rollback is performed on the configurations
between the FIPS mode and non-FIPS mode, HP recommends that you delete the local user from the
login device and configure a new local user (local user attributes including password, user role,
and service type), save the current configuration file, specify it as the next startup configuration file,
and reboot the device. The rolled back configuration takes effect after reboot. During this process,
do not exit or perform other operations.
• To make sure the rollback between the configurations in FIPS mode (entered by using the manual
reboot method) and non-FIPS mode succeeds, save the configuration when the device enters FIPS
mode before performing other operations.
• To form an IRF fabric, all member devices must use the same FIPS mode setting (configurable with
the fips mode enable command).
• If you switch to FIPS mode in the IRF fabric, reboot the IRF member devices.
Enabling FIPS mode
To enable FIPS mode, complete the following tasks:
• If you choose the manual reboot method, accomplish the required configurations, including
configuring password control and a local user. For more information, see "Manual reboot."
• If y
ou choose the automatic reboot method and saving the current configuration is required, execute
the save command before you enable FIPS mode.
To enable FIPS mode:
Ste
p
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enable FIPS mode.
fips mode enable
By default, the FIPS mode is
disabled.
FIPS self-tests
When the device operates in FIPS mode, it has self-test mechanisms, including the power-up self-test and
conditional self-tests, to ensure the normal operation of cryptography modules. You can also trigger a
self-test. If the power-up self-test fails, the card where the self-test is performed restarts. If the conditional
self-test fails, the system outputs self-test failure information.