How to Enable and Configure Junos OS in FIPS Mode of Operation
You, as Cryptographic Officer, can enable and configure Junos OS in FIPS mode of operation on your device. Before you begin enabling and configuring FIPS mode of operation on the device:
- Verify the secure delivery of your device. See Identifying Secure Delivery.
- Apply tamper-evident seals. See Applying Tamper-Evident Seals to the Cryptographic Module.
To enable the Junos OS in FIPS mode of operation, perform the following steps:
- Enable the FIPS mode on the device.
user@host> set system fips level 2
- Commit and reboot the device.
user@host> commit
- Run integrity and self-tests on powering on the device when the module is operating in FIPS mode.
- Check the FIPS level on the SPU.
user@host> SPC4_PIC0% /sbin/fips-mode -v
2 - Ensure that the backup image of the firmware is also a JUNOS-FIPS image by issuing the request system snapshot command.
To configure the Junos OS in FIPS mode of operation, perform the following steps:
- Configure SSH to use FIPS-approved and FIPS allowed algorithms,
using the following commands:
user@host# set system services ssh hostkey-algorithm ssh-ecdsa user@host# commit
Note: The cryptographic module always enables the following algorithms for SSH: ecdh-sha2-nistp256, ecdh-sha2-nistp384, hmac-sha1, and 3des-cbc, aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr.
- The Cryptographic Officer can change the preference of
SSH key exchange and cipher algorithms using the following commands:
user@host# set system services ssh key-exchange <algorithm> <algorithm> - ecdh-sha2-nistp256, ecdh-sha2-nistp384, dh-group14-sha1 user@host# set system services ssh ciphers <alogrithm> <algorithm> - 3des-cbc, aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr
Note: These algorithms are always proposed during SSH session negotiation. Explicitly specifying an algorithm moves the algorithm up in the list of proposed algorithms during the SSH session establishment.
- The Cryptographic Officer can change the preference of
SSH MAC algorithms or enable additional approved algorithms using
the following command:
user@host# set system services ssh macs <algorithm> <algorithm> - hmac-sha1, hmac-sha2-256, hmac-sha2-512, hmac-sha1-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com user@host# set system services ssh ciphers <alogrithm> <algorithm> 3des-cbc, aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr
Note: hmac-sha1 is always proposed during SSH session negotiation. Explicitly specifying either algorithm moves it up in the list of proposed algorithms during the SSH session establishment. Specifying any other MAC algorithm adds it to the list of algorithms proposed.
- For each IPsec tunnel configured, you must run the following
command to configure the algorithms:
user@host# set security ipsec authentication-algorithm <algorithm> - hmac-sha-256-128, hmac-sha1-96 user@host# set security ipsec encryption-algorithm <algorithm> - 3des-cbc, aes-128-cbc, aes-128-gcm, aes-192-cbc, aes-192-gcm, aes-256-cbc, aes-256-gcm
Note: Use of AES-GCM is only FIPS-approved when it is configured for use along with IKEv2 and use of AES-GCM is allowed in phase-2 when it is configured for use along with IKEv1.
| Note: Run the show version command to check if the module is operating in FIPS mode of operation. For example, run show system services ssh and show security ipsec to verify that only the FIPS-approved and FIPS-allowed algorithms are configured for SSH and IPsec as specified earlier in this section. |
