How to Enable and Configure Junos OS in FIPS Mode of Operation
You, as Security Administrator, can enable and configure Junos OS in FIPS mode of operation on your device. Before you begin enabling and configuring FIPS mode of operation on the device:
Verify the secure delivery of your device. See Identifying Secure Product Delivery.
Apply tamper-evident seals. See Applying Tamper-Evident Seals to the Cryptographic Module.
To enable the Junos OS in FIPS mode of operation, perform the following steps:
-
Zeroize the device before enabling FIPS mode of operation
user@host>request vmhost zeroize -
Enable the FIPS mode on the device.
user@host# set system fips level 2 -
Set the root password.
user@host# set system root-authentication plain-text-password.Enter a password.
-
Remove the CSPs on commit check.
user@host# commit -
After you reboot the device, perform integrity and self-test when the module is operating in FIPS mode.
- Configure IKEv2 when AES-GCM is used for encryption of IKE and/or IPSec.
user@host# set security ike proposal <ike_proposal_name> encryption-algorithm ? Possible completions: aes-128-cbc AES-CBC 128-bit encryption algorithm aes-128-gcm AES-GCM 128-bit encryption algorithm aes-192-cbc AES-CBC 192-bit encryption algorithm aes-256-cbc AES-CBC 256-bit encryption algorithm aes-256-gcm AES-GCM 256-bit encryption algorithm user@host# set security ike proposal <ike_proposal_name> encryption-algorithm aes-256-gcm user@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm aes-128-gcm user@host# set security ike gateway <gateway_name> version ? Possible completions: v1-only The connection must be initiated using IKE version 1 v2-only The connection must be initiated using IKE version 2 user@host# set security ike gateway <gateway_name> version v2-only user@host# commit commit complete
Ensure that the backup image of the firmware is also a JUNOS-FIPS image by
issuing the request system snapshot command.
root@host-srx1600:fips> show version Hostname: cst1a Model: host-srx1600 Junos: 23.4R1.9 JUNOS OS Kernel 64-bit [20231122.ee0e992_builder_stable_12_234] JUNOS OS libs [20231122.ee0e992_builder_stable_12_234] JUNOS OS runtime [20231122.ee0e992_builder_stable_12_234] JUNOS OS time zone information [20231122.ee0e992_builder_stable_12_234] JUNOS OS libs compat32 [20231122.ee0e992_builder_stable_12_234] JUNOS OS 32-bit compatibility [20231122.ee0e992_builder_stable_12_234] JUNOS py extensions [20231221.205905_builder_junos_234_r1] JUNOS py base [20231221.205905_builder_junos_234_r1] JUNOS OS vmguest [20231122.ee0e992_builder_stable_12_234] JUNOS OS package [20231117.015524_builder_stable_12] JUNOS network stack and utilities [20231221.205905_builder_junos_234_r1] JUNOS OS network modules [20231122.ee0e992_builder_stable_12_234] JUNOS OS crypto [20231122.ee0e992_builder_stable_12_234] JUNOS OS boot-ve files [20231122.ee0e992_builder_stable_12_234] JUNOS libs [20231221.205905_builder_junos_234_r1] JUNOS libs compat32 [20231221.205905_builder_junos_234_r1] JUNOS runtime [20231221.205905_builder_junos_234_r1] JUNOS na telemetry [23.4R1.9] JUNOS Web Management Platform Package [20231221.205905_builder_junos_234_r1] JUNOS vmguest [20231221.205905_builder_junos_234_r1] JUNOS lite sysmond [20231221.205905_builder_junos_234_r1] JUNOS publish subscribe base [20231221.205905_builder_junos_234_r1] JUNOS srx libs compat32 [20231221.205905_builder_junos_234_r1] JUNOS srx runtime [20231221.205905_builder_junos_234_r1] JUNOS srx platform support [20231221.205905_builder_junos_234_r1] JUNOS common platform support [20231221.205905_builder_junos_234_r1] JUNOS srxtvp runtime [20231221.205905_builder_junos_234_r1] JUNOS Routing mpls-oam-basic [20231221.205905_builder_junos_234_r1] JUNOS Routing lsys [20231221.205905_builder_junos_234_r1] JUNOS Routing controller-external [20231221.205905_builder_junos_234_r1] JUNOS Routing 32-bit Compatible Version [20231221.205905_builder_junos_234_r1] JUNOS Routing aggregated [20231221.205905_builder_junos_234_r1] Redis [20231221.205905_builder_junos_234_r1] JUNOS probe utility [20231221.205905_builder_junos_234_r1] JUNOS pppoe [20231221.205905_builder_junos_234_r1] JUNOS Openconfig [23.4R1.9] JUNOS mtx network modules [20231221.205905_builder_junos_234_r1] JUNOS modules [20231221.205905_builder_junos_234_r1] JUNOS srxtvp modules [20231221.205905_builder_junos_234_r1] JUNOS srxtvp libs [20231221.205905_builder_junos_234_r1] JUNOS srx libs [20231221.205905_builder_junos_234_r1] JUNOS L2 RSI Scripts [20231221.205905_builder_junos_234_r1] JUNOS Key Manager [20231221.205905_builder_junos_234_r1] JUNOS srx Data Plane Crypto Support [20231221.205905_builder_junos_234_r1] JUNOS ike [20231221.205905_builder_junos_234_r1] JUNOS daemons [20231221.205905_builder_junos_234_r1] JUNOS srx daemons [20231221.205905_builder_junos_234_r1] JUNOS SRX TVP AppQos Daemon [20231221.205905_builder_junos_234_r1] JUNOS TPM2 [20231221.205905_builder_junos_234_r1] JUNOS Extension Toolkit [20231221.205905_builder_junos_234_r1] JUNOS Phone-home [20231221.205905_builder_junos_234_r1] JUNOS Juniper Malware Removal Tool (JMRT) [1.0.0+20231221.205905_builder_junos_234_r1] JUNOS Juniper Malware Removal Tool (JMRT) Test [1.0.0+20231221.205905_builder_junos_234_r1] JUNOS J-Insight [20231221.205905_builder_junos_234_r1] JUNOS Online Documentation [20231221.205905_builder_junos_234_r1] JUNOS jail runtime [20231122.ee0e992_builder_stable_12_234] JUNOS FIPS mode utilities [20231221.205905_builder_junos_234_r1] JUNOS dsa [20231221.205905_builder_junos_234_r1]
The fips keyword next to the hostname in the output
indicates that the module is operating in FIPS mode for Junos Software Release 23.4R1
for SRX1600.