R3102-R3103-HP 6600/HSR6600 Routers Security Configuration Guide
536
• SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5.
Configuration considerations
To enter the FIPS mode, follow these steps:
1. Enable FIPS mode.
2. Enable the password control function.
3. Configure the username and password to log in to the device in FIPS mode. The password must
comprise at least 10 characters and must contain uppercase and lowercase letters, digits, and
special characters.
4. Delete all MD5-based digital certificates.
5. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
6. Save the configuration.
Enabling FIPS mode
Follow these guidelines when you configure FIPS mode:
• If you need to enable both FIPS mode and the password control function, enable FIPS mode first.
• If you need to disable both FIPS mode and the password control function, disable password control
first.
• After FIPS mode is enabled, delete the FIPS 140-2-incompliant local user service type Telnet, HTTP,
or FTP before you reboot the device.
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable FIPS mode.
fips mode enable
By default, the FIPS mode is
disabled.
Displaying and maintaining FIPS
Task Command Remarks
Display FIPS mode state. display fips status Available in any view.
FIPS configuration example
Network requirements
As shown in Figure 261, Host connects to Router through a console port. Configure Router to operate in
FIPS mode and create a local user for Host so that Host can log in to the router.