Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All
     

    Related Documentation

     

    How to Enable and Configure Junos OS in FIPS-Approved Mode of Operation

    You, as Cryptographic Officer, can enable and configure Junos OS in FIPS-approved mode of operation on your device. Before you begin enabling and configuring FIPS-approved mode of operation on the device:

    To enable the Junos OS in FIPS-approved mode of operation, perform the following steps:

    1. Install the Junos OS Release 12.3X48-D30 image, if you have not already done so.

      user@host> request system software add no-copy reboot <firmware-name>

    2. Run integrity and self-tests on powering on the device when the module is operating in the FIPS-approved mode.

      Note: If the module was previously in a non-approved mode of operation, the Cryptographic Officer must zeroize the critical security parameters (CSPs) by following the instructions in Understanding Zeroization to Clear System Data for FIPS Approved Mode of Operation.

    3. Ensure that the backup image of the firmware is also a JUNOS-FIPS image by issuing the request system snapshot command.

    To configure the Junos OS in FIPS-approved mode of operation, perform the following steps:

    1. Configure SSH to use FIPS-approved and FIPS allowed algorithms, using the following commands:
      user@host# set system services ssh hostkey-algorithm ssh-ecdsa
      user@host# set system services ssh hostkey-algorithm no-ssh-rsa
      user@host# set system services ssh hostkey-algorithm no-ssh-dss
      user@host# set system services ssh hostkey-algorithm no-ssh-ed25519
      user@host# commit
      

      Note: The cryptographic module always enables the following algorithms for SSH: dh-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, group-exchange-sha1, group-exchange-sha2, hmac-sha1, hmac-sha1-96, and 3des-cbc, aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr.

      Note: When you run the command request security pki generate-keypair type rsa size 2048 certificate-id the following message appears Generating a key-pair with a large modulus is very time-consuming. Progress is reported to the trace log, and a log message is generated upon completion.

    2. The Cryptographic Officer can change the preference of SSH key exchange and cipher algorithms using the following commands:
      user@host# set system services ssh key-exchange <algorithm>
      <algorithm> - dh-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, group-exchange-sha1, or group-exchange-sha2
      
      user@host# set system services ssh ciphers <alogrithm>
      <algorithm> - 3des-cbc, aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr

      Note: These algorithms are always proposed during SSH session negotiation. Explicitly specifying an algorithm moves the algorithm up in the list of proposed algorithms during the SSH session establishment.

    3. The Cryptographic Officer can change the preference of SSH MAC algorithms or enable additional approved algorithms using the following command:
      user@host# set system services ssh macs <algorithm>
      
      <algorithm> - hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-512, hmac-sha1-96-etm@openssh.com, hmac-sha1-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.comuser@host# set system services ssh ciphers <alogrithm>
      

      Note: hmac-sha1 and hmac-sha1-96 are always proposed during SSH session negotiation. Explicitly specifying either algorithm moves it up in the list of proposed algorithms during the SSH session establishment. Specifying any other MAC algorithm adds it to the list of algorithms proposed.

    4. For each IPsec tunnel configured, you must run the following command to configure the algorithms:
      user@host# set system security ipsec <name> authentication-algorithm <algorithm>
      
      <algorithm> - hmac-sha-256-128, hmac-sha1-96
      
      user@host# set system security ipsec <name> encryption-algorithm <algorithm>
      
      <algorithm> - 3des-cbc, aes-128-cbc, aes-128-gcm, aes-192-cbc, aes-192-gcm, aes-256-cbc, aes-256-gcm

      Note: Use of AES-GCM is only FIPS-approved when it is configured for use in conjunction with IKEv2.

    Note: Run the show version command to check if the module is operating in FIPS-approved mode of operation. For example, run show system services ssh and show security ipsec to verify that only the FIPS-approved and FIPS-allowed algorithms are configured for SSH and IPsec as specified earlier in this section.

     

    Related Documentation

     

    Modified: 2016-08-28