As Crypto Officer, you must establish a root password conforming to the FIPS password
requirements in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode. When you enable FIPS
mode in Junos OS on the device, you cannot configure passwords unless they meet this
standard.
Local passwords are encrypted with the secure hash algorithm SHA256 or SHA512. Password
recovery is not possible in Junos OS in FIPS mode. Junos OS in FIPS mode cannot boot into
single-user mode without the correct root password.
To enable FIPS mode in Junos OS on the device:
-
Zeroize the device to delete all CSPs before entering FIPS mode. See Zeroizing the System.
-
After the device comes up in Amnesiac mode, login using console with username
root and password (blank).
- Configure root authentication with password at least 10
characters or more.
root@switch> edit
Entering configuration mode
[edit]
root@switch# set system root-authentication plain-text-password
New password:
Retype new password:
root@switch# commit
configuration check succeeds commit complete
-
Load configuration onto the dvice and commit new configuration.
- Configure Crypto Officer and login with Crypto Officer
credentials.
-
The
fips-mode.tgz is an optional package needed for QFX10002-36Q and
QFX10002-72Q devices to enable FIPS. This package is part of Junos OS software. To enable
this package, use below command:
root@host>request system software add optional://fips-mode.tgz
Verified fips-mode signed by PackageProductionECP256_2022 method ECDSA256+SHA256
-
The
fips-mode.tgz and jpfe-fips.tgz are optional
packages needed for QFX10002-60C, QFX10008, and QFX10016 devices to enable FIPS. These
packages are part of Junos OS software. To enable these packages, use below command:
root@host>request system software add optional://fips-mode.tgz
Verified fips-mode signed by PackageProductionECP256_2022 method ECDSA256+SHA256
root@host>request system software add optional://jpfe-fips.tgz
Verified jpfe-fips signed by PackageProductionECP256_2022 method ECDSA256+SHA256
-
Configure the system boundary fips by setting the following command and commit the
configuration:
-
For QFX10002-36Q and QFX10002-72Q devices:
[edit]
root@hostname# set system fips level 1
-
For QFX10002-60C, QFX10008, and QFX10016 devices:
[edit]
root@hostname# set system fips chassis level 1
Note:
The device might display warnings to delete older CSPs in loaded configuration-
Encrypted-password must be re-configured to use FIPS compliant hash.
-
After deleting and reconfiguring the CSPs, commit is successful and the device needs
reboot to enter FIPS mode.
-
For QFX10002-36Q, QFX10002-72Q, QFX10008, and QFX10016 devices, use the following
command:
crypto-officer@host# commit
configuration check succeeds
[edit]
'system'
warning: reboot is required to transition to FIPS level 1
commit complete
[edit]
crypto-officer@host# run request system reboot
-
For the QFX10002-60C device, use the following command:
crypto-officer@host# commit
configuration check succeeds
[edit]
'system'
warning: reboot is required to transition to FIPS level 1
commit complete
[edit]
crypto-officer@host# run request vmhost reboot
-
After rebooting the device, FIPS self-tests will run and device enters FIPS mode.
crypto-officer@switch:fips>
