As Security Administrator, you must establish a root password conforming to the FIPS password
requirements in Overview of Password Specifications and Guidelines for Junos OS in FIPS Mode. When you
enable FIPS mode in Junos OS on the device, you cannot configure passwords unless they
meet this standard.
Local passwords are encrypted with the secure hash
algorithm SHA256 or SHA512. Password recovery is not possible in Junos
OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user
mode without the correct root password.
To enable FIPS mode in Junos OS on the device:
-
Zeroize the device to delete all CSPs before entering FIPS mode. Refer to Overview of Zeroization to Clear System Data for FIPS Mode section for
details.
- After the device comes up in ’Amnesiac mode’,
login using username
root
and password ""
(blank).FreeBSD/amd64 (Amnesiac) (ttyu0)
login: root
--- JUNOS 22.2R1.10 Kernel 64-bit JNPR-12.1-20210529.2f59a40_build
root@:~ # cli
root>
- Configure root authentication with password at least 10
characters or more.
root> edit
Entering configuration mode
[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root# commit
commit complete
-
Load configuration onto device and commit new configuration. Configure Security
Administrator and login with Security Administrator credentials.
- The
fips-mode
and jpfe-fips
are
optional packages needed for enabling FIPS. These packages are part
of Junos OS software. To enable these packages, use below commands:security-administrator@hostname> request system software add optional://fips-mode.tgz
Verified fips-mode signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256crypto-officer@hostname> request system software add optional://jpfe-fips.tgz
/usr/sbin/pkg: package jpfe-fips-x86-32-20.3I-20200610_dev_common.0.0743 is already installed
- Configure chassis boundary fips by setting
set system
fips chassis level 1
and commit
. Device might display the Encrypted-password must be re-configured to use FIPS compliant hash
warning to delete older CSPs in loaded configuration.
- After deleting and reconfiguring CSPs, commit will go
through and device needs reboot to enter FIPS mode.
[edit]
security-administrator@hostname# commit
[edit]
system
reboot is required to transition to FIPS level 1
commit complete
[edit]
security-administrator@hostname# run request vmhost reboot
- After rebooting the device, FIPS self-tests will run and
device enters FIPS mode.
security-administrator@hostname:fips>