How to Enable and Configure Junos OS in FIPS Mode—Overview
You, as Crypto Officer, can enable and configure Junos OS in FIPS mode on your EX Series switch.
Before you begin enabling and configuring FIPS mode on the switch:
Verify the secure delivery of your switch. See Verifying Secure Delivery of the Product.
To enable and configure Junos OS in FIPS mode, perform the following tasks. Follow the links for instructions.
- Install the Junos OS Release 17.4R1-S4 image, if you have not already done so. See Downloading and Installing Junos Software Packages (FIPS Mode).
- Disable non-CLI user interfaces. .
- Erase old passwords and rollback configurations and otherwise zeroize the system. See Zeroizing the System (FIPS Mode).
- Establish root password access according to FIPS guidelines. See Establishing Root Password Access (FIPS Mode).
- Enable FIPS mode, and commit. See Enabling a Switch to FIPS Mode.
On switches with multiple Routing Engines, ensure that you always use the commit synchronize command to commit configuration changes.
- Configure local login authentication for Crypto Officer access and other FIPS users. See Configuring Crypto Officer and FIPS User Identification and Access.
- Configure the console port to log out automatically when you unplug the cable and require the root password for single-user mode. See Configuring the Console Port for FIPS Mode.
- Configure FIPS logging to record events. See Configuring Event Logging for Junos OS in FIPS Mode.
After you as the Crypto Officer complete Junos OS in FIPS mode configuration, you can connect the switch to the network and proceed with normal configuration.
After you enable FIPS mode, few MACsec ports become unreachable. The affected MACsec ports are 0, 8, 16 (for 24-port model), 0, 4, 8, 12, 16, 20, 24, 28 (for 32-port model), and 0, 8, 16, 24, 32, 40 (for 48-port model). To recover these ports, restart the Packet Forwarding Engine using the following VTY command: