Installing and Removing the AS II FIPS PIC
Crypto Officers are responsible for the proper handling of any AS II FIPS PICs installed in the router. An AS II FIPS PIC is required for external IPSec sessions (internal Routing-Engine-to-Routing-Engine IPSec sessions do not require an AS II FIPS PIC).
The AS II FIPS PIC holds the Juniper Networks root certificate authority (CA) certificate and the factory default password for the PIC.
You must enable (authorize) all AS II FIPS PICs before use, and zeroize them before removal. If you move the AS II FIPS PIC to another system, you must authorize it for the new system.
This section discusses the following AS II FIPS PIC topics:
Authorizing the AS II FIPS PIC
Before you can use an installed AS II FIPS PIC for external IPSec, the Crypto Officer must authorize it. Authorization enables the AS II FIPS PIC, generates the cryptographic keys used for mutual authentication of the Routing Engine and AS II FIPS PIC, and generates the session key used for encryption and decryption of CSPs sent from the Routing Engine. It also creates a database of installed AS II FIPS PICs by serial number and status (authorized, not authorized).
The following automatically occurs when the AS II FIPS PIC is authorized:
- Mutual authentication using IPSec takes place between the active Routing Engine and the authorized PIC based on the default password on the PIC.
- The Routing Engine and AS II FIPS PIC generate private-public key pairs and exchange their public keys over the secure IPSec session.
- The Routing Engine sends the authorized PIC a new password used for zeroization.
The request services fips authorize pic command enables the Crypto Officer to authorize each individual AS II FIPS PIC:
You cannot authorize all installed AS II FIPS PICs at once. You cannot “re-authorize” an installed AS II FIPS PIC that has already been authorized:
Obtaining the AS II FIPS PIC Status
You can determine the status of all installed AS II FIPS PICs with the show services fips pic status command:
crypto-officer@host> show services fips pic
statusFPC/PIC slot Serial number Status 2/0 CC8691 Not authorized 2/2 CC8689 Authorized
Authorized AS II FIPS PICs use a secure channel to the Routing Engine to install the IPSec security association (SA) keys on the PIC. If the AS II FIPS PIC is not authorized, the IPSec SA installation aborts.
Zeroizing the AS II FIPS PIC
A symmetric session key (in 3DES) is generated in the Routing Engine every time the Routing Engine or AS II FIPS PIC is rebooted. This session key is encrypted and signed with an RSA key pair and pushed to the PIC. IPSec SA keys are sent to the PIC encrypted with the session key. To maintain the cryptographic boundary, core dumps are disabled in the AS II FIPS PIC. You can return the PIC to the “factory-shipped” state by zeroizing it.
Before you remove an authorized AS II FIPS PIC from the system, you should zeroize the PIC with the request services fips zeroize command:
crypto-officer@host> request services fips zeroize
pic fpc-slot 2 pic-slot 0 Zeroization command sent to the PIC. Please check logs for the result.
Note that once the command is issued and the cryptographic boundary around the AS II FIPS PIC is broken, the result can no longer be reported directly to the user. You should allow about 40 seconds to zeroize an AS II FIPS PIC.
You cannot zeroize all installed AS II FIPS PICs at once. They must be zeroized one at a time. You also cannot zeroize an installed AS II FIPS PIC that has not been authorized:
crypto-officer@host> request services fips zeroize
pic fpc-slot 2 pic-slot 2Command failed as PIC sp-2/2/0 is not authorized yet.
