How to Enable and Configure Junos OS in FIPS Mode of Operation
You, as Cryptographic Officer, can enable and configure Junos OS in FIPS mode of operation on your device. Before you begin enabling and configuring FIPS mode of operation on the device:
Verify the secure delivery of your device. See Identifying Secure Delivery.
Apply tamper-evident seals. See Applying Tamper-Evident Seals to the Cryptographic Module.
To enable the Junos OS in FIPS mode of operation, perform the following steps:
-
Zeroize the device before enabling FIPS mode of operation
user@host> request system zerioze hypervisorrequest system zerioze -
Enable the FIPS mode on the device.
user@host# set system fips level 2 -
Remove the CSPs on commit check and reboot the device.
user@host# commit -
Run integrity and self-tests on powering on the device when the module is operating in FIPS mode.
-
Configure IKEv2 when AES-GCM is used for encryption of IKE and/or IPSec.
-
Ensure that the backup image of the firmware is also a JUNOS-FIPS image by issuing the
request system snapshotcommand.
The show configuration security ike and show configuration
security ipsec commands display the approved and configured IKE/IPsec
configuration for the device operating in FIPS-approved mode.
root@host-srx1500:fips> show version Hostname: host-srx1500 Model: srx1500 Junos: 22.2R3-S1.9 JUNOS OS Kernel 64-bit [20230512.628256f_builder_stable_12_222] JUNOS OS libs [20230512.628256f_builder_stable_12_222] JUNOS OS runtime [20230512.628256f_builder_stable_12_222] JUNOS OS time zone information [20230512.628256f_builder_stable_12_222] JUNOS OS libs compat32 [20230512.628256f_builder_stable_12_222] JUNOS OS 32-bit compatibility [20230512.628256f_builder_stable_12_222] JUNOS py extensions [20230714.205742_builder_junos_222_r3_s1] JUNOS py base [20230714.205742_builder_junos_222_r3_s1] JUNOS OS vmguest [20230512.628256f_builder_stable_12_222] JUNOS OS crypto [20230512.628256f_builder_stable_12_222] JUNOS OS boot-ve files [20230512.628256f_builder_stable_12_222] JUNOS network stack and utilities [20230714.205742_builder_junos_222_r3_s1] JUNOS libs [20230714.205742_builder_junos_222_r3_s1] JUNOS libs compat32 [20230714.205742_builder_junos_222_r3_s1] JUNOS runtime [20230714.205742_builder_junos_222_r3_s1] JUNOS na telemetry [22.2R3-S1.9] JUNOS Web Management Platform Package [20230714.205742_builder_junos_222_r3_s1] JUNOS srx libs compat32 [20230714.205742_builder_junos_222_r3_s1] JUNOS srx runtime [20230714.205742_builder_junos_222_r3_s1] JUNOS srx platform support [20230714.205742_builder_junos_222_r3_s1] JUNOS common platform support [20230714.205742_builder_junos_222_r3_s1] JUNOS srxtvp runtime [20230714.205742_builder_junos_222_r3_s1] JUNOS Routing mpls-oam-basic [20230714.205742_builder_junos_222_r3_s1] JUNOS Routing lsys [20230714.205742_builder_junos_222_r3_s1] JUNOS Routing controller-external [20230714.205742_builder_junos_222_r3_s1] JUNOS Routing 32-bit Compatible Version [20230714.205742_builder_junos_222_r3_s1] JUNOS Routing aggregated [20230714.205742_builder_junos_222_r3_s1] Redis [20230714.205742_builder_junos_222_r3_s1] JUNOS probe utility [20230714.205742_builder_junos_222_r3_s1] JUNOS pppoe [20230714.205742_builder_junos_222_r3_s1] JUNOS Openconfig [22.2R3-S1.9] JUNOS mtx network modules [20230714.205742_builder_junos_222_r3_s1] JUNOS modules [20230714.205742_builder_junos_222_r3_s1] JUNOS srxtvp modules [20230714.205742_builder_junos_222_r3_s1] JUNOS srxtvp libs [20230714.205742_builder_junos_222_r3_s1] JUNOS srx libs [20230714.205742_builder_junos_222_r3_s1] JUNOS L2 RSI Scripts [20230714.205742_builder_junos_222_r3_s1] JUNOS srx Data Plane Crypto Support [20230714.205742_builder_junos_222_r3_s1] JUNOS daemons [20230714.205742_builder_junos_222_r3_s1] JUNOS srx daemons [20230714.205742_builder_junos_222_r3_s1] JUNOS SRX TVP AppQos Daemon [20230714.205742_builder_junos_222_r3_s1] JUNOS Extension Toolkit [20230714.205742_builder_junos_222_r3_s1] JUNOS Phone-home [20230714.205742_builder_junos_222_r3_s1] JUNOS Juniper Malware Removal Tool (JMRT) [1.0.0+20230714.205742_builder_junos_222_r3_s1] JUNOS J-Insight [20230714.205742_builder_junos_222_r3_s1] JUNOS Online Documentation [20230714.205742_builder_junos_222_r3_s1] JUNOS jail runtime [20230512.628256f_builder_stable_12_222] JUNOS FIPS mode utilities [20230714.205742_builder_junos_222_r3_s1] JUNOS dsa dsa [22.2R3-S1.9]
The fips keyword next to the hostname in the output
indicates that the module is operating in FIPS mode for Junos Software Release
22.2R3S1.
user@host-srx4200:fips> show configuration security ike
proposal ike-proposal1 {
authentication-method pre-shared-keys;
dh-group group14;
encryption-algorithm aes-256-gcm;
}
policy ike-policy1 {
mode main;
proposals ike-proposal1;
pre-shared-key ascii-text "$9$Hq.5zF/tpBUj9Au0IRdbwsaZ"; ## SECRET-DATA
}
gateway gw1 {
ike-policy ike-policy1;
address 198.51.100.0;
local-identity inet 203.0.113.0;
external-interface ge-0/0/3;
version v2-only;
}user@host-srx4200:fips> show configuration security ipsec
proposal ipsec-proposal1 {
protocol esp;
encryption-algorithm aes-128-gcm;
}
policy ipsec-policy1 {
perfect-forward-secrecy {
keys group14;
}
proposals ipsec-proposal1;
}
vpn vpn1 {
bind-interface st0.0;
ike {
gateway gw1;
ipsec-policy ipsec-policy1;
}
}