Understanding FIPS Self-Tests
The cryptographic module enforces security rules to ensure that a router or switch running the Juniper Networks Junos operating system (Junos OS) in FIPS mode meets the security requirements of FIPS 140-2 Level 1. To validate the output of cryptographic algorithms approved for FIPS and test the integrity of some system modules, the router or switch performs the following series of known answer test (KAT) self-tests:
kernel_kats—KAT for kernel cryptographic routines
md_kats—KAT for libmd and libc
openssl_kats—KAT for OpenSSL cryptographic implementation
quicksec_kats—KAT for QuickSec Toolkit cryptographic implementation
ssh_ipsec_kats—KAT for SSH IPsec Toolkit cryptographic implementation
The KAT self-tests are performed automatically at startup. Conditional self-tests are also performed automatically to verify digitally signed software packages, generated random numbers, RSA and ECDSA key pairs, and manually entered keys.
If the KATs are completed successfully, the system log (syslog) file is updated to display the tests that were executed.
If the router or switch fails a KAT, it writes the details to a system log file, enters FIPS error state (panic), and reboots the router or switch.
The file show /var/log/messages command displays the system log.