Enabling FIPS Mode
When Junos OS is installed on a router and the router is powered on, it is ready to be configured. Initially, you log in as the user root with no password. When you log in as root, your SSH connection is enabled by default.
As Crypto Officer, you must establish a root password conforming to the FIPS password requirements in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode. When you enable FIPS mode in Junos OS on the router, you cannot configure passwords unless they meet this standard.
Local passwords are encrypted with the secure hash algorithm SHA256 or SHA512. Password recovery is not possible in Junos OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user mode without the correct root password.
To enable FIPS mode in Junos OS on the device:
- Zeroize the device to delete all CSPs before entering FIPS mode. Refer to Understanding Zeroization to Clear System Data for FIPS Mode section for details.
- After the device comes up in ’Amnesiac mode’,
login using username root and password "" (blank).FreeBSD/amd64 (Amnesiac) (ttyu0)login: root
--- JUNOS 18.1-20180131.0 Kernel 64-bit JNPR-11.0-20180123.155949_fbsd-root@:~ # cli
- Configure root authentication.root> edit
Entering configuration mode
root# set system root-authentication plain-text-password
Retype new password:
- Load configuration onto device and commit new configuration.
- Install fips-mode package needed for Routing
Engine KATS.root@hostname> request system software add optional://fips-mode.tgz
Verified fips-mode signed by PackageDevelopmentEc_2017 method ECDSA256+SHA256
- For KATS test to run on NG-MPC flavor line cards that
hold MIC-MACSEC-20G enable set chassis images fpc slot slot-number command "boot -K 1 1 -X 0 1".root@hostname# set chassis images fpc slot 1 command "boot -K 1 1 -X 0 1"
Enter the slot number based on the slot number on which NG-MPC is inserted in the chassis. This command is a mandatory command before you start any operations. Once you configure this command, logs for the KATS passed are displayed after the router reboots, line card restarts, and MIC offline-online event.
- For MX Series devices,
Configure chassis boundary fips by setting set system fips chassis level 1 and commit.
For EX and MX devices,
Configure fips by setting set systems fips level 1 and commit
Device might display the Encrypted-password must be re-configured to use FIPS compliant hash warning to delete older CSP in loaded configuration.
- After deleting and reconfiguring CSPs, commit will go
through and device needs reboot to enter FIPS mode.root@hostname# commit
Generating RSA key /etc/ssh/fips_ssh_host_key
Generating RSA2 key /etc/ssh/fips_ssh_host_rsa_key
Generating ECDSA key /etc/ssh/fips_ssh_host_ecdsa_key
reboot is required to transition to FIPS level 1
- After rebooting the device, FIPS self-tests will run and
device enters FIPS mode.root@hostname:fips>
For more information about the root password and root logins, see the Junos OS System Basics Configuration Guide.