Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring FIPS Self-Tests


This example shows how to configure FIPS self-tests to run periodically.

Hardware and Software Requirements

  • You must have administrative privileges to configure FIPS self-tests.

  • The device must be running the evaluated version of Junos OS in FIPS mode software.


The FIPS self-test consists of the following suites of known answer tests (KATs):

  • kernel_kats—KAT for kernel cryptographic routines

  • md_kats—KAT for libmd and libc

  • openssl_kats—KAT for OpenSSL cryptographic implementation

In this example, the FIPS self-test is executed at 9:00 AM in New York City, USA, every Wednesday.


Instead of weekly tests, you can configure monthly tests by including the month and day-of-month statements.

When a KAT self-test fails, a log message is written to the system log messages file with details of the test failure. Then the system panics and reboots.


CLI Quick Configuration

To quickly configure this example, copy the following commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

To configure the FIPS self-test and login to the device with crypto officer credentials:

  1. Configure the FIPS self-test to execute at 9:00 AM every Wednesday.
  2. If you are done configuring the device, commit the configuration.


From configuration mode, confirm your configuration by issuing the show system command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.


Confirm that the configuration is working properly.

Verifying the FIPS Self-Test


Verify that the FIPS self-test is enabled.


Run the FIPS self-test manually by issuing the request system fips self-test command or by rebooting the device.

After issuing the request system fips self-test command or after rebooting the device, the system log file is updated to display the KATs that are executed. To view the system log file, issue the file show /var/log/messages command.

Cannot-exec is an unsigned package and /sbin/kats/run-tests: /sbin/kats/cannot-exec: Authentication error is an expected message when the device in FIPS mode tries to install this unsigned package as part of FIPS self-tests.

For MX204 and EX9251 devices :