Junos-FIPS Crypto Officer and User Accounts Overview
Junos-FIPS defines a restricted set of user roles. Unlike the Junos OS, which enables a wide range of capabilities to users, FIPS 140-2 defines specific types of users (Crypto Officer, User, and Maintenance). Crypto Officers and FIPS Users perform all FIPS-related configuration tasks and issue all FIPS-related commands. Crypto Officer and FIPS User configurations must follow FIPS 140-2 guidelines. Typically, no user besides a Crypto Officer can perform FIPS-related tasks.
Crypto Officer User Configuration
Junos-FIPS offers finer control of user permissions than those mandated by FIPS 140-2. For FIPS 140-2 conformance, any Junos-FIPS user with the secret, security, and maintenance permission bits set is a Crypto Officer. In most cases, the super-user class should be reserved for a Crypto Officer. A FIPS User can be defined as any Junos-FIPS user that does not have the secret, security, and maintenance bits set.
FIPS User Configuration
A Crypto Officer sets up FIPS Users. FIPS Users can be granted permissions normally reserved for a Crypto Officer; for example, permission to zeroize the system and individual AS-II FIPS PICs.
