Enabling FIPS Mode
FIPS mode is not automatically enabled when you install Junos OS on the switch.
As Crypto Officer, you must explicitly enable FIPS mode on the switch by setting the FIPS level to 1 (one), the FIPS 140-2 level at which EX Series switches switches are certified. A switch on which FIPS mode is not enabled has a FIPS level of 0 (zero).
To transition to FIPS mode, passwords must be encrypted with a FIPS-compliant hash algorithm. The encryption format must be SHA-256 or SHA-512. Passwords that do not meet this requirement, such as passwords that are hashed with MD5, must be reconfigured or removed from the configuration before FIPS mode can be enabled.
- Zeroize the switch to delete all CSPs before entering FIPS mode. See Understanding Zeroization to Clear System Data for FIPS Mode.
- After the switch comes up in Amnesiac mode, login using username root and password (blank).
login: root Password: --- JUNOS 19.4R1.1 Kernel 64-bit JNPR-11.0-20191115.14c2ad5_buil root@:~ # cli root>
- Configure root authentication with password at least 10
characters or more.root@switch> edit
Entering configuration mode
root@switch#root@switch# set system root-authentication plain-text-password
New password: Retype new password:root@switch# commit
configuration check succeeds commit complete
- Load configuration onto switch and commit new configuration.
- Configure Crypto Officer and login with Crypto Officer credentials.
- Configure chassis boundary fips by running the set
system fips level 1 command followed by the commit command.
The device might display the following warning to delete older CSPs in loaded configuration- Encrypted-password must be re-configured to use FIPS compliant hash
- After deleting and reconfiguring the CSPs, commit is scucessfull
and the switch needs reboot to enter FIPS mode.crypto-officer@switch# commit
configuration check succeeds
'system' warning: reboot is required to transition to FIPS level 1 commit completecrypto-officer@switch# run request system reboot
- After rebooting the switch, FIPS self-tests will run and
switch enters FIPS mode.crypto-officer@switch:fips>
Use “local” keyword for operational commands in FIPS mode. For example, show version local, and show system uptime local.