Configuring Crypto Officer and FIPS User Identification and Access
Crypto Officer performs all configuration tasks for Junos OS in FIPS mode and issue all Junos OS in FIPS mode statements and commands. Crypto Officer and FIPS user configurations must follow Junos OS in FIPS mode guidelines.
Configuring Crypto Officer Login Access
Junos OS in FIPS mode offers a finer granularity of user permissions than those mandated by FIPS 140-2.
For FIPS 140-2 compliance, any FIPS user with the secret, security, maintenance, and control permission bits set is a Crypto Officer. In most cases the super-user class suffices for the Crypto Officer.
To configure login access for a Crypto Officer:
- Log in to the switch with the root password if you have
not already done so, and enter configuration mode:root@switch> configure
Entering configuration mode[edit]
root@switch# - Name the user “crypto-officer” and assign
the Crypto Officer a user ID (for example, 6400) and a class
(for example, super-user). When you assign the class, you
assign the permissions—for example, secret, security, maintenance, and control.
For a list of permissions, see Understanding Junos OS Access Privilege Levels.
[edit]root@switch# set system login user crypto-officer uid 6400 class super-user - Following the guidelines in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode, assign the Crypto Officer a plain-text password
for login authentication. Set the password by typing a password after
the prompts New password and Retype new password.[edit]root@switch# set system login user crypto-officer class super-user authentication plain-text-password
- Optionally, display the configuration:[edit]root@switch# edit system[edit system]root@switch# showlogin {user crypto-officer {uid 6400;authentication {encrypted-password "<cipher-text>"; ## SECRET-DATA}class super-user;}}
- If you are finished configuring the switch, commit the
configuration and exit:[edit]root@switch# commit
commit complete
root@switch# exitroot@switch> exitOtherwise, go on to Configuring FIPS User Login Access.
Configuring FIPS User Login Access
A fips-user is defined as any FIPS user that does not have the secret, security, maintenance, and control permission bits set.
As the Crypto Officer you set up FIPS users.
To configure login access for a FIPS user:
- Log in to the switch with your Crypto Officer password
if you have not already done so, and enter configuration mode:crypto-officer@switch:fips> configure
Entering configuration mode[edit]
crypto-officer@switch:fips# - Give the user a username, assign the FIPS user a user
ID (for example, 6401) and a class (for example , read-only).
For a list of permissions, see Understanding Junos OS Access Privilege Levels.
[edit]crypto-officer@switch:fips# set system login user fips-user1 uid 6401 class read-only - Following the guidelines in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode.
Set the password by typing a password after the prompts New password and Retype new password.[edit]crypto-officer@switch:fips# set system login user fips-user1 class operator authentication plain-text-password
- Optionally, display the configuration:[edit]crypto-officer@switch:fips# edit system[edit system]crypto-officer@switch:fips# showlogin {user fips-user1 {uid 6401;authentication {encrypted-password "<cipher-text>"; ## SECRET-DATA}read-only;}}
- If you are finished configuring the switch, commit the
configuration and exit:[edit]crypto-officer@switch:fips# commitcrypto-officer@switch:fips> exit