Upgrading a JUNOS Software Router to JUNOS-FIPS

To upgrade a Juniper Networks router running JUNOS software to JUNOS-FIPS, perform the following tasks in the order listed:

• Install the router under normal operating procedures. For more information, see the JUNOS System Basics Configuration Guide.
• Download the correct JUNOS-FIPS software package from www.juniper.net.
• Connect locally to the active Routing Engine console port.
• Copy the JUNOS-FIPS software to both Routing Engines.
• Upgrade to JUNOS-FIPS using the request system software add reboot junos-juniper-7.2*-fips.tgz command. There is no “-signed” version of the JUNOS-FIPS software. All JUNOS-FIPS software is signed. The router reboots in JUNOS-FIPS and becomes a cryptographic module. For more details about adding system software, see the JUNOS System Basics Configuration Guide.
  • When upgrading from JUNOS Release 6.4, you should use the no-validate option on the JUNOS-FIPS software module. You can validate upgrades to JUNOS-FIPS from JUNOS Release 7.x. Upgrade to JUNOS-FIPS from JUNOS Release 6.4 using the request system software add reboot no-validate junos-juniper-7.2*-fips.tgz command.
• For hardware configurations with dual Routing Engines, configure a manual IPSec security association (SA) for Routing-Engine-to-Routing-Engine communication. You cannot use the commit sync command until you have established an IPSec SA on each Routing Engine.

  Note: Downgrading a JUNOS-FIPS cryptographic module to non-JUNOS-FIPS JUNOS software is not supported.

Attempts to install non-JUNOS-FIPS JUNOS software on a router running JUNOS-FIPS will generate the following error message:

Juniper Networks does not support downgrades to non-JUNOS-FIPS software packages, but this might be necessary in certain test environments. You can install non-JUNOS-FIPS JUNOS software from PC Card media.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.