When Junos OS is installed on a router and the router is powered on, it is ready to be
configured. Initially, you log in as the user root with no password. When you log in as
root, your SSH connection is enabled by default.
As Crypto Officer, you must establish a root password conforming to the FIPS password
requirements in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode. When you enable
FIPS mode in Junos OS on the device, you cannot configure passwords unless they meet
this standard.
Local passwords are encrypted with the secure hash
algorithm SHA256 or SHA512. Password recovery is not possible in Junos
OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user
mode without the correct root password.
To enable FIPS mode in Junos OS on the device:
-
Zeroize the device to delete all CSPs before entering FIPS mode. Refer to Understanding Zeroization to Clear System Data for FIPS Mode section for
details.
- After the device comes up in ’Amnesiac mode’,
login using username
root
and password ""
(blank).FreeBSD/amd64 (Amnesiac) (ttyu0)
login: root
--- JUNOS 19.1R3-S7.2 Kernel 64-bit JNPR-11.0-20190926.ca2fd68_buil
root@:~ #
- Configure root authentication with password at least 10
characters or more.
root> edit
Entering configuration mode
[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root# commit
commit complete
-
Load configuration onto device and commit new
configuration.
-
Install
fips-mode
package needed for Routing Engine
KATS.
root@hostname> request system software add jpfe-fips-powerpc-19.1R3-S7.2.tgz
Installing package '/var/tmp/jpfe-fips-powerpc-19.1R3-S7.2.tgz' ...
WARNING: jpfe-fips-powerpc-19.1R3-S7.2.tgz: not a signed package
Verified jpfe-fips-powerpc-19.1R3-S7.2 signed by PackageProductionECP256_2021 method ECDSA256+SHA256
Mounted jpfe-fips package on /dev/md15...
Verified manifest signed by PackageProductionECP256_2021 method ECDSA256+SHA256
Verified jpfe-fips-powerpc-19.1R3-S7.2 signed by PackageProductionECP256_2021 method ECDSA256+SHA256
Saving package file in /var/sw/pkg/jpfe-fips-19.1R3-S7.2.tgz ...
Saving state for rollback ...
-
Configure chassis boundary fips by setting
set system fips chassis
level 1
and commit
.
- After deleting and reconfiguring CSPs, commit will go
through and device needs reboot to enter FIPS mode.
[edit]
root@hostname# commit
Generating RSA key /etc/ssh/fips_ssh_host_key
Generating RSA2 key /etc/ssh/fips_ssh_host_rsa_key
Generating ECDSA key /etc/ssh/fips_ssh_host_ecdsa_key
[edit]
system
reboot is required to transition to FIPS level 1
commit complete
- After rebooting the device, FIPS self-tests will run and
device enters FIPS mode.
crypto-officer@hostname:fips>