R2511-HP MSR Router Series Security Command Reference(V5)
590
Default
The FIPS mode is disabled.
Views
System view
Default command level
2: System level
Usage guidelines
The FIPS mode complies with FIPS 140-2.
To enter the FIPS mode, follow these steps:
1. Enable FIPS mode.
2. Enable the password control function.
3. Configure a username and password used to log in to the device.
The password must include at least 10 characters that must contain uppercase and lowercase
letters, digits, and special characters.
4. Set the user level to 3, and service type to Terminal or Web.
5. Delete all MD5-based digital certificates.
6. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
7. Save the configuration.
Before the device reboots, you must perform the following operations:
8. Configure a username and password used to log in to the device.
The password must include at least 6 characters that must contain uppercase and lowercase letters,
digits, and special characters.
9. Delete all MD5-based digital certificates.
10. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
Save the configuration and reboot the router. After the reboot, the router is working in FIPS 140-2 mode.
In CC certificate, this is equal to work according to CC standard.
When the system enters the FIPS mode, the following changes occur:
• The FTP/TFTP server is disabled.
• The Telnet server is disabled.
• The HTTP server is disabled.
• SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
• The SSL server only supports TLS1.0.
• The SSH server does not support SSHv1 clients.
• RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs must have a modulus
length from 1024 to 2048 bits.
• SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5.
Examples
# Enable FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable