Manualshelf

User guide

ManualsBrandsJuniper ManualsNetworkingSA6500 FIPS
11121314151617181920
Related
Documentation
SA FIPS on page 7
Creating Administrator Cards on page 57
Creating a New Security World on page 17
Recovering an Archived Security World on page 20
FIPS Overview
The Juniper Networks SA 4500 and 6500 FIPS is a standard SA4500 or SA6500
appliance equipped with a FIPS-compliant crypto card. The tamper-proof hardware
security module installed on a Secure Access FIPS system is certified to meet the FIPS
140-2 level 3 security benchmark.
The configuration process for Secure Access FIPS administrators is almost exactly the
same as for the non-FIPS Secure Access administrators, requiring only minor configuration
changes during the initialization, clustering, and certificate generation processes. In the
few cases where administration tasks are different, this guide includes the appropriate
instructions for both Secure Access and Secure Access FIPS administrators. For end-users,
Secure Access FIPS is exactly the same as a standard Secure Access system.
The FIPS-compliant crypto card is a host bus adapter card that combines IPsec and SSL
cryptographic acceleration with Hardware Security Module (HSM) features. This
combination of a dedicated HSM, advanced cryptographic security and secure key
management meet the security and performance needs for any service.
This card has two main roles: a security officer and a user role. The FIPS-compliant crypto
card replaces the need for administrator cards with the concept of a security officer who
is responsible for key and password management. The security officer credential protects
the keystore from being exported and imported onto another FIPS-compliant crypto
card.
User roles perform cryptographic operations such as accessing keying material within
the keystore as well as performing bulk encryption operations.
The security officer credentials, user credentials, and RSA private keys are stored in the
HSM encrypted keystore located on the Secure Access disk. You are prompted to provide
these credentials whenever any operation requires them. Credentials are not automatically
retrieved from the HSM keystore.
Keystores are stored on the disk and are encrypted with a master key. The master key is
stored in the cryto card firmware and can be backed up by a security officer using a restore
password. This restore password can then be used to restore the master key onto the
same or different FIPS-compliant crypto cards allowing the keystore to be shared across
a cluster, for example.
Related
Documentation
Name and Password Restrictions on page 15
Initializing a Keystore on page 31
Reinitializing the Keystore on page 31
9Copyright © 2012, Juniper Networks, Inc.
Chapter 2: FIPS