Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Enabling a Switch to FIPS Mode

 

FIPS mode is not automatically enabled when you install Junos OS on the switch.

As Crypto Officer, you must explicitly enable FIPS mode on the switch by setting the FIPS level to 1 (one), the FIPS 140-2 level at which EX Series switches switches are certified. A switch on which FIPS mode is not enabled has a FIPS level of 0 (zero).

Note

To transition to FIPS mode, passwords must be encrypted with a FIPS-compliant hash algorithm. The encryption format must be SHA-256 or SHA-512. Passwords that do not meet this requirement, such as passwords that are hashed with MD5, must be reconfigured or removed from the configuration before FIPS mode can be enabled.

  1. Zeroize the switch to delete all CSPs before entering FIPS mode.
  2. After the switch comes up in Amnesiac mode, login using username root and password (blank).
  3. Configure root authentication with password at least 10 characters or more.
  4. Load configuration onto switch and commit new configuration.
  5. Configure Crypto Officer and login with Crypto Officer credentials.
  6. Configure chassis boundary fips by running the set system fips level 1 command followed by the commit command.Note

    The device might display the following warning to delete older CSPs in loaded configuration- Encrypted-password must be re-configured to use FIPS compliant hash

  7. After deleting and reconfiguring the CSPs, commit is scucessfull and the switch needs reboot to enter FIPS mode.
  8. After rebooting the switch, FIPS self-tests will run and switch enters FIPS mode.
Note

Use “local” keyword for operational commands in FIPS mode. For example, show version local, and show system uptime local.

Related Documentation