R0106-HP MSR Router Series Security Configuration Guide(V7)
441
Conditional self-tests
A conditional self-test runs when an asymmetrical cryptographic module or a random number generator
module is invoked. Conditional self-tests include the following types:
• Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It
uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If
the decryption is successful, the test succeeds. Otherwise, the test fails.
• Continuous random number generator test—This test is run when a random number is generated.
Each subsequent generation of an n-bit block shall be compared with the previously generated
block. The test will fail if any two compared n-bit blocks are the same. This test can also be run when
a DSA/RSA asymmetrical key-pair is generated.
Triggering self-tests
To examine whether the cryptography modules operate correctly, you can trigger a self-test on the
cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails,
the card where the self-test process exists reboots.
To trigger a self-test:
Ste
p
Command
1. Enter system view.
system-view
2. Trigger a self-test.
fips self-test
Displaying and maintaining FIPS
Execute display commands in any view.
Task Command
Display the FIPS mode state. display fips status
FIPS configuration examples
Entering FIPS mode through automatic reboot
Network requirements
Use the automatic reboot method to enter FIPS mode, and use a console/AUX/Async port to log in to the
device in FIPS mode.
Configuration procedure
# If you want to save the current configuration, execute the save command before you enable FIPS mode.
# Enable FIPS mode and choose the automatic reboot method to enter FIPS mode. Configure the
username as root and the password as 123 45 zxc vb !@# $% ZXC V B.
<Sysname> system-view
[Sysname] fips mode enable