Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

FIPS Mode Overview

 

Enable FIPS Mode

Federal Information Processing Standards (FIPS) are standards provided by the United Stated Federal government for the purpose of secure interoperability among computing systems. These standards include encryption and common codes for various types of information, such as emergencies in certain geographic locations.

Starting in release 5.0.3, JATP provides FIPS support, allowing JATP to operate in FIPS 140-2 level 1 compliant mode. From this release onward, JATP can operate in either FIPS or non-FIPS mode.

FIPS mode is enabled or disabled using the CLI. Before you enable FIPS mode, there are several points you should be aware of.

  • In clustered deployments, all systems must either be in FIPS mode or not in FIPS mode. This is due to differences in how the device keys are calculated between modes. The same restriction applies for MCM configurations.

  • Before enabling FIPS mode, please ensure that the Core/CM, secondary cores, collectors, and other JATP appliances have been successfully upgraded to release 5.0.3 or higher. Enabling FIPS mode will prevent non-FIPS appliances from communicating with, and upgrading from, the Core/CM appliance.

  • FIPS mode requires stronger encryption for passwords and keys than non-FIPS mode. Please note the following requirements:

    • Password length (both CLI and UI) must be between 10 to 20 characters long. Passwords cannot use common insecure entries as part of the password, such as “password” or “123456.” Passwords do not have any character uppercase, lowercase, or symbol requirements.

    • User-provided UI private keys must be RSA, 2048 bits or higher.

    • User-provided UI certificates cannot use the following certificate signature hash algorithms: md2, mdc2, ripemd, md4, md5

    • When FIPS mode is enabled, PKCS#12 bundles uploaded to the JATP Core/CM require strong encryption. PKCS#12 bundles with weak encryption cannot be decrypted and the keypair will not be applied to the UI. Use PBE-SHA1-3DES for the keypbe and certpbe arguments when creating PKCS#12 bundles with the 'openssl pkcs12' command. If the encryption is too weak, you may see the following error message: “Couldn't process SSL Certificate: Error: Failed to extract private key from PKCS#12 bundle.”

Note

If the above requirements are not met, when you run the command to enable FIPS, the output will indicate the issues you must correct.

Warning

For existing deployed appliances, you may be prompted to reset the UI and CLI passwords when putting the appliance into FIPS mode. This is because stored passwords are hashed, and it cannot be determined whether or not those passwords meet FIPS requirements.

Enable FIPS mode using the CLI in server mode as follows:

Note

If the current password does not meet the FIPS requirements stated above, you must change it before enabling FIPS mode.

Use the set fips command with following options to enable and disable FIPS:

Available options are:

level —Select FIPS 140-2 security level

off —Disable FIPS 140-2 settings

Level 1 is only valid entry at this time. For example, turn FIPS on with the following command:

Note

If all requirements are met and the command is successful, you are prompted to reboot the appliance. FIPS mode settings are applied after the reboot.

Turn FIPS off with the following command:

View FIPS settings with the following command:

View FIPS issues with the following command:

Reset Passwords and Keys

To reset your passwords and keys (in preparation for enabling FIPS mode or for any other reason):

Enter the reset command in server mode:

eng-dhcp(server)# reset

options are:

ui —Reset all UI settings and remove non-default UI users

passwords —Reset default CLI and UI passwords

keys —Regenerate internal keys and certificates

all —Reset passwords and keys

For example, reset passwords and keys with the following command:

eng-dhcp(server)# reset all

Example Output:

Note

The following prompts from the output above are only applicable for the Core/CM or All-in-one appliance. They are not shown for collectors and secondary cores.

Enter the new password of the Central Manager UI account:

Retype the new password of the Central Manager UI account: Password changed successfully!

This will remove all user configurations and UI users, except for the default admin user.

Proceed? (Yes/No)? Yes