Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Performing Self-Tests on a Device

 

Understanding FIPS Self-Tests

The cryptographic module enforces security rules to ensure that a device running the Juniper Networks Junos operating system (Junos OS) in FIPS mode meets the security requirements of FIPS 140-2 Level 1. To validate the output of cryptographic algorithms approved for FIPS and test the integrity of some system modules, the device performs the following series of known answer test (KAT) self-tests:

  • kernel_kats—KAT for kernel cryptographic routines

  • md_kats—KAT for libmd and libc

  • openssl_kats—KAT for OpenSSL cryptographic implementation

  • quicksec_kats—KAT for QuickSec Toolkit cryptographic implementation

  • ms_mic_kats—KAT for Multiservices MIC cryptographic implementation

The KAT self-tests are performed automatically at startup and reboot. Conditional self-tests are also performed automatically to verify digitally signed software packages, generated random numbers, RSA and ECDSA key pairs, and manually entered keys.

If the KATs are completed successfully, the system log (syslog) file is updated to display the tests that were executed.

If the device fails a KAT, it writes the details to a system log file, enters FIPS error state (panic), and reboots the device.

The file show /var/log/messages command displays the system log.

Example: Configuring FIPS Self-Tests

This example shows how to configure FIPS self-tests to run periodically.

Hardware and Software Requirements

  • You must have administrative privileges to configure FIPS self-tests.

  • The device must be running the evaluated version of Junos OS in FIPS mode software.

Overview

The FIPS self-test consists of the following suites of known answer tests (KATs):

  • kernel_kats—KAT for kernel cryptographic routines

  • md_kats—KAT for libmd and libc

  • quicksec_kats—KAT for QuickSec Toolkit cryptographic implementation

  • openssl_kats—KAT for OpenSSL cryptographic implementation

  • ms_mic_kats—KAT for Multiservices MIC

In this example, the FIPS self-test is executed at 9:00 AM in New York City, USA, every Wednesday.

Note

Instead of weekly tests, you can configure monthly tests by including the month and day-of-month statements.

When a KAT self-test fails, a log message is written to the system log messages file with details of the test failure. Then the system panics and reboots.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

To configure the FIPS self-test:

  1. Configure the FIPS self-test to execute at 9:00 AM every Wednesday.
  2. If you are done configuring the device, commit the configuration.

Results

From configuration mode, confirm your configuration by issuing the show system command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Verification

Confirm that the configuration is working properly.

Verifying the FIPS Self-Test

Purpose

Verify that the FIPS self-test is enabled.

Action

Run the FIPS self-test manually by issuing the request system fips self-test command.

After issuing the request system fips self-test command, the system log file is updated to display the KATs that are executed. To view the system log file, issue the file show /var/log/messages command.

For MX104 device:

user@host> file show /var/log/messages

For MX Series devices with MS-MIC:

user@host> file show /var/log/messages

Meaning

The system log file displays the date and the time at which the KATs were executed and their status.