Understanding FIPS Self-Tests
The cryptographic module enforces security rules to ensure that an NFX350 device running the Juniper Networks Junos operating system (Junos OS) in FIPS mode meets the security requirements of FIPS 140-2 Level 1. To validate the output of cryptographic algorithms approved for FIPS and test the integrity of some system modules, the system performs the following series of known answer test (KAT) self-tests:
kernel_kats
—KAT for kernel cryptographic routinesmd_kats
—KAT for libmd and libcopenssl_kats
—KAT for OpenSSL cryptographic implementationssh_ipsec_kats
—KAT for SSH IPsec Toolkit cryptographic implementation
The KAT self-tests are performed automatically at startup and reboot, regardless of whether FIPS mode is enabled on the NFX350 device. Conditional self-tests are also performed automatically to verify digitally signed software packages, generated random numbers, RSA and DSA key pairs, and manually entered keys.
If the KATs are completed successfully, the system log (syslog) file is updated to display the tests that were executed.
If one of the KATs fail, the device panics and reboot continuously. The device can be recovered using USB install.
The file show /var/log/messages
command displays
the system log.