Enabling FIPS Mode
As Crypto Officer, you must establish a root password conforming to the FIPS password requirements in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode. When you enable FIPS mode in Junos OS on the device, you cannot configure passwords unless they meet this standard.
Local passwords are encrypted with the secure hash algorithm SHA256 or SHA512. Password recovery is not possible in Junos OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user mode without the correct root password.
To enable FIPS mode in Junos OS on the device:
- Zeroize the device to delete all CSPs before entering FIPS mode. Refer to Understanding Zeroization to Clear System Data for FIPS Mode section for details.
- After the device comes up in ’Amnesiac mode’,
login using username root and password "" (blank).FreeBSD/amd64 (Amnesiac) (ttyu0)login: root
--- JUNOS 19.3R1.8 Kernel 64-bit JNPR-11.0-20190701.269d466_builroot@:~ # cli
- Configure root authentication with password at least 10
characters or more.root> edit
Entering configuration mode
root# set system root-authentication plain-text-password
Retype new password:
- Configure Crypto Officer and login with Crypto Officer credentials.
- Load configuration onto device and commit new configuration.
- The fips-mode and jpfe-fips are
optional packages needed for enabling FIPS. These packages are part
of Junos OS software. To enable these packages, use below commands:crypto-officer@hostname> request system software add optional://fips-mode
Verified fips-mode signed by PackageDevelopmentEc_2019 method ECDSA256+SHA256crypto-officer@hostname> request system software add optional://jpfe-fips
Verified jpfe-fips signed by PackageDevelopmentEc_2019 method ECDSA256+SHA256
- Configure chassis boundary fips by setting set system fips chassis level 1 command and commit.
- After deleting and reconfiguring CSPs, commit will go
through and device needs reboot to enter FIPS mode.crypto-officer@hostname# commit
Generating RSA key /etc/ssh/fips_ssh_host_key
Generating RSA2 key /etc/ssh/fips_ssh_host_rsa_key
Generating ECDSA key /etc/ssh/fips_ssh_host_ecdsa_key
reboot is required to transition to FIPS level 1
commit completecrypto-officer@hostname# run request vmhost reboot
- After rebooting the device, FIPS self-tests will run and
device enters FIPS mode.crypto-officer@hostname:fips>