Enabling fips mode, Fips self-tests, Power-up self-tests – H3C Technologies H3C SecPath F1000-E User Manual
Page 269
259
Enabling FIPS mode
IMPORTANT:
To enable both FIPS mode and password control, enable FIPS mode first and then password control. To
disable both of them, disable password control first and then FIPS mode. Otherwise, the router cannot
reboot.
After enabling FIPS mode, you must restart the device to make your configuration take effect.
To enable FIPS mode:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable FIPS mode.
fips mode enable
Disabled by default
After you enable FIPS mode and restart the device, the following changes occur:
•
The FTP/TFTP server is disabled.
•
The Telnet server is disabled.
•
The HTTP server is disabled.
•
SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
•
The SSL server only supports TLS1.0.
•
The SSH server does not support SSHv1 clients.
•
The SSH supports only RSA.
•
RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs must have a modulus
length of at least 1024 bits.
•
SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, 3DES, or MD5.
FIPS self-tests
When the device operates in FIPS mode, it has self-test mechanisms, including the power-up self-test and
conditional self-tests, to ensure the normal operation of cryptography modules. You can also trigger a
self-test. If a self-test fails, the device restarts.
Power-up self-tests
The power-up self-tests, also called "known-answer tests", examine the availability of FIPS-allowed
cryptographic algorithms. A cryptographic algorithm runs on data for which the correct output is already
known. The calculated output is compared with the known answer. If they are not identical, the
known-answer test fails.
The power-up self-test includes the following types described in
.