Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Crypto Officer and FIPS User Identification and Access

Crypto Officer enables FIPS mode on your device and performs all configuration tasks for Junos OS in FIPS mode and issue all Junos OS in FIPS mode statements and commands. Crypto Officer and FIPS user configurations must follow Junos OS in FIPS mode guidelines.

Configuring Crypto Officer Access

Junos OS in FIPS mode offers a finer granularity of user permissions than those mandated by FIPS 140-2.

For FIPS 140-2 compliance, any FIPS user with the secret, security, maintenance, and control permission bits set is a Crypto Officer. In most cases the super-user class suffices for the Crypto Officer.

To configure login access for a Crypto Officer:

  1. Log in to the device with the root password if you have not already done so, and enter configuration mode:
  2. Name the user crypto-officer and assign the Crypto Officer a user ID (for example, 6400, which must be a unique number associated with the login account in the range of 100 through 64000) and a class (for example, super-user). When you assign the class, you assign the permissions—for example, secret, security, maintenance, and control.

    For a list of permissions, see Understanding Junos OS Access Privilege Levels.

    For example:

  3. Following the guidelines in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode, assign the Crypto Officer a plain-text password for login authentication. Set the password by typing a password after the prompts New password and Retype new password.

    For example:

  4. Optionally, display the configuration:
  5. If you are finished configuring the device, commit the configuration and exit:

Configuring FIPS User Login Access

A fips-user is defined as any FIPS user that does not have the secret, security, maintenance, and control permission bits set.

As the Crypto Officer you set up FIPS users. FIPS users cannot be granted permissions normally reserved for the Crypto Officer—for example, permission to zeroize the system.

To configure login access for a FIPS user:

  1. Log in to the device with your Crypto Officer password if you have not already done so, and enter configuration mode:
  2. Give the user, a username, and assign the user a user ID (for example, 6401, which must be a unique number in the range of 1 through 64000) and a class. When you assign the class, you assign the permissions—for example, clear, network, resetview, and view-configuration.

    For example:

  3. Following the guidelines in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode, assign the FIPS user a plain-text password for login authentication. Set the password by typing a password after the prompts New password and Retype new password.

    For example:

  4. Optionally, display the configuration:
  5. If you are finished configuring the device, commit the configuration and exit: