Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Enabling FIPS Mode

As Crypto Officer, you must establish a root password conforming to the FIPS password requirements in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode. When you enable FIPS mode in Junos OS on the device, you cannot configure passwords unless they meet this standard.

Local passwords are encrypted with the secure hash algorithm SHA256 or SHA512. Password recovery is not possible in Junos OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user mode without the correct root password.

To enable FIPS mode in Junos OS on the device:

  1. Zeroize the device to delete all CSPs before entering FIPS mode. See Zeroizing the System.
  2. After the device comes up in Amnesiac mode, login using console with username root and password (blank).
  3. Configure root authentication with password at least 10 characters or more.
  4. Load configuration onto the dvice and commit new configuration.
  5. Configure Crypto Officer and login with Crypto Officer credentials.
  6. The fips-mode.tgz is an optional package needed for enabling FIPS. This package is part of Junos OS software. To enable this package, use below command:
  7. Configure system boundary fips by setting the set system fips level 1 command followed by the commit command.
    Note:

    The device might display warnings to delete older CSPs in loaded configuration- Encrypted-password must be re-configured to use FIPS compliant hash.
  8. After deleting and reconfiguring the CSPs, commit is successful and the device needs reboot to enter FIPS mode.
  9. After rebooting the device, FIPS self-tests will run and device enters FIPS mode.