R0106-HP MSR Router Series Security Configuration Guide(V7)
437
{ Other commands used for configuration preparation to enter FIPS mode.
• Configuration rollback is supported in FIPS mode and also during a switch between FIPS mode and
non-FIPS mode. After a configuration rollback between FIPS mode and non-FIPS mode, perform the
following tasks:
e. Delete the local user and configure a new local user. Local user attributes include password,
user role, and service type.
f. Save the current configuration file.
g. Specify the current configuration file as the startup configuration file.
h. Reboot the device. The new configuration takes effect after the reboot. During this process, do
not exit the system or perform other operations.
• If a device enters FIPS or non-FIPS mode through automatic reboot, configuration rollback fails. To
support configuration rollback, you must execute the save command after the device enters FIPS or
non-FIPS mode.
Configuring FIPS mode
Entering FIPS mode
After you enable FIPS mode and reboot the device, the device operates in FIPS mode. The FIPS device
has strict security requirements, and performs self-tests on cryptography modules to verify that they are
operating correctly.
A FIPS device meets the requirements defined in Network Device Protection Profile (NDPP) of Common
Criteria (CC).
The system provides two methods to enter FIPS mode: automatic reboot and manual reboot.
Automatic reboot
To use automatic reboot to enter FIPS mode:
1. Enable FIPS mode.
2. Select the automatic reboot method.
The system automatically performs the following tasks:
a. Create a default FIPS configuration file named fips-startup.cfg.
b. Specify the default file as the startup configuration file.
c. Prompt you to configure the username and password for next login.
You can press Ctrl+C to exit the configuring process. The fips mode enable command will not be
executed.
3. Configure a username and password to log in to the device in FIPS mode.
The password must include at least 15 characters that contain uppercase and lowercase letters,
digits, and special characters.
The system automatically uses the startup configuration file to reboot the device and enter FIPS
mode. You can only use the configured username and password to log in to the FIPS device. After
login, you are assigned the role of security administrator Crypto Officer.
Manual reboot
To use manual reboot to enter FIPS mode: