ON THIS PAGE
FIPS Mode Overview
Enable FIPS Mode
Federal Information Processing Standards (FIPS) are standards provided by the United Stated Federal government for the purpose of secure interoperability among computing systems. These standards include encryption and common codes for various types of information, such as emergencies in certain geographic locations.
Starting in release 5.0.3, ATP Appliance provides FIPS support, allowing ATP Appliance to operate in FIPS 140-2 level 1 compliant mode. From this release onward, ATP Appliance can operate in either FIPS or non-FIPS mode.
FIPS mode is enabled or disabled using the CLI. Before you enable FIPS mode, there are several points you should be aware of.
In clustered deployments, all systems must either be in FIPS mode or not in FIPS mode. This is due to differences in how the device keys are calculated between modes. The same restriction applies for MCM configurations.
Before enabling FIPS mode, please ensure that the Core/CM, secondary cores, collectors, and other ATP Appliance appliances have been successfully upgraded to release 5.0.3 or higher. Enabling FIPS mode will prevent non-FIPS appliances from communicating with, and upgrading from, the Core/CM appliance.
FIPS mode requires stronger encryption for passwords and keys than non-FIPS mode. Please note the following requirements:
Password length (both CLI and UI) must be between 10 to 20 characters long. Passwords cannot use common insecure entries as part of the password, such as “password” or “123456.” Passwords do not have any character uppercase, lowercase, or symbol requirements.
User-provided UI private keys must be RSA, 2048 bits or higher.
User-provided UI certificates cannot use the following certificate signature hash algorithms: md2, mdc2, ripemd, md4, md5
When FIPS mode is enabled, PKCS#12 bundles uploaded to the ATP Appliance Core/CM require strong encryption. PKCS#12 bundles with weak encryption cannot be decrypted and the keypair will not be applied to the UI. Use PBE-SHA1-3DES for the keypbe and certpbe arguments when creating PKCS#12 bundles with the 'openssl pkcs12' command. If the encryption is too weak, you may see the following error message: “Couldn't process SSL Certificate: Error: Failed to extract private key from PKCS#12 bundle.”
If the above requirements are not met, when you run the command to enable FIPS, the output will indicate the issues you must correct.
For existing deployed appliances, you may be prompted to reset the UI and CLI passwords when putting the appliance into FIPS mode. This is because stored passwords are hashed, and it cannot be determined whether or not those passwords meet FIPS requirements.
Enable FIPS mode using the CLI in server mode as follows:
If the current password does not meet the FIPS requirements stated above, you must change it before enabling FIPS mode.
Use the set fips command with following options to
enable and disable FIPS:
eng-dhcp (server)# set fips
Available options are:
level —Select FIPS 140-2 security level
off —Disable FIPS 140-2 settings
Level 1 is only valid entry at this time. For example, turn FIPS on with the following command:
eng-dhcp (server)# set fips level 1
If all requirements are met and the command is successful, you are prompted to reboot the appliance. FIPS mode settings are applied after the reboot.
Turn FIPS off with the following command:
eng-dhcp (server)# set fips off
View FIPS settings with the following command:
eng-dhcp (server)# show fips
View FIPS issues with the following command:
eng-dhcp (diagnosis)# show fips errors
Reset Passwords and Keys
To reset your passwords and keys (in preparation for enabling FIPS mode or for any other reason):
Enter the reset command in server mode:
eng-dhcp(server)# reset
options are:
ui —Reset all UI settings and remove non-default
UI users
passwords —Reset default CLI and UI passwords
keys —Regenerate internal keys and certificates
all —Reset passwords and keys
For example, reset passwords and keys with the following command:
eng-dhcp(server)# reset all
Example Output:
Update passphrases and default accounts ... Enter the current password of CLI admin: Enter the new password of CLI admin: Retype the new password of CLI admin: Password changed successfully! Enter the new password of the Central Manager UI account: Retype the new password of the Central Manager UI account: Password changed successfully! Enter new devicekey: securephrase3 Recreating internal keys/certificates (1/4) ... Recreating internal keys/certificates (2/4) ... Recreating internal keys/certificates (3/4) ... Regenerate the SSL self-signed certificate? (Yes/No)? Yes SSL Self-signed certificate re-generated successfully! Recreating internal keys/certificates (4/4) ... This will remove all UI configurations and UI users, except for the default admin user. All settings, including software/content update, RADIUS, SAML and GSS settings will be reset to the default settings. Proceed? (Yes/No)? Yes ----Restarting all services----
The following prompts from the output above are only applicable for the Core/CM or All-in-one appliance. They are not shown for collectors and secondary cores.
Enter the new password of the Central Manager UI account:
Retype the new password of the Central Manager UI account:
Password changed successfully!
This will remove all user configurations and UI users,
except for the default admin user.
Proceed? (Yes/No)? Yes