Enabling NFX250 device to FIPS Mode
FIPS mode is not automatically enabled when you install Junos OS on the NFX250 device.
As Crypto Officer, you must explicitly transition the device from non-FIPS mode to the FIPS mode for which NFX250 Network Services Platform are certified.
To transition to FIPS mode, passwords must be encrypted with a FIPS-compliant hash algorithm. The encryption format must be SHA-1 or higher. Passwords that do not meet this requirement, such as passwords that are hashed with MD5, must be reconfigured or removed from the configuration before FIPS mode can be enabled.
To enable FIPS mode in Junos OS on the device:
- Enter in to JDM from NFX250 device.root@jdm> ssh jdm-sysuser@vjunos0
--- JUNOS 17.3R2.10 Kernel 64-bit JNPR-10.3-20180204.bcafb2a_buil
- Add FIPS package on the device.jdm-sysuser> request system software add optional://fips-mode.tgz
Verified fips-mode signed by PackageProductionEc_2018 method ECDSA256+SHA256
- Establish root password access according to FIPS guidelines. See Establishing Root Password Access (FIPS Mode)
- Initiate zeroize operation to change the Junos OS in to
FIPS mode.root@jdm> request system zeroize to-fips
warning: System will be rebooted and current installation will be zeroized. warning: This will stop all VNFs and remove all VNF images and data. warning: All user configuration (except vjunos0) and data shall be deleted. Reboot system to switch device to FIPS mode? [yes,no] (no) yes Staging zeroize (to_fips) operation ... System should be kept powered on until operation completes.
The configuration set system fips level 1 is automatically configured when FIPS transition is completed.