FIPS mode is not automatically enabled when you install Junos OS on the router.
As Crypto Officer, you must explicitly enable FIPS mode on your device by setting the FIPS level
to 1 (one), the FIPS 140-2 level at which your devices are certified. A device on which FIPS
mode is not enabled has a FIPS level of 0 (zero).
Note: To transition to FIPS mode, passwords must be encrypted with a FIPS-compliant hash algorithm. The
encryption format must be SHA-256 or SHA-512. Passwords that do not meet this requirement,
such as passwords that are hashed with MD5, must be reconfigured or removed from the
configuration before FIPS mode can be enabled.
To enable FIPS mode in Junos OS on the router:
-
Zeroize the router to delete all CSPs before entering FIPS mode.
-
After the router comes up in Amnesiac mode, login using username
root and password (blank).
login :root
Password:
Last login: Fri Sep 17 01:11:25 from 10.220.192.171
--- JUNOS 20.3X75-D30.6 Kernel 64-bit JNPR-11.0-20210909.a3fd70d_buil
root@host:~ #
root>
- Configure root authentication with password at least 10
characters or more.
root@hostname> edit
Entering configuration mode
[edit]root@hostname# set system root-authentication plain-text-password
New password:
Retype new password:
root@hostname# commit
configuration check succeeds commit complete
-
Load configurationon to router and commit new configuration.
- Configure Crypto Officer and login with Crypto Officer
credentials.
-
Configure chassis boundary fips by setting the
set system fips chassis level
1 command followed by the commit command.
Note:
The device might display warnings to delete older CSPs in loaded configuration-
Encrypted-password must be re-configured to use FIPS compliant hash.
-
You can add the optional software package:
user@hostname> request system software add optional://jpfe-fips.tgz
/usr/sbin/pkg: package jpfe-fips-x86-32-20.3X75-D30.6 is already installed
user@hostname> request system software add optional://fips-mode.tgz
Verified fips-mode signed by Package Production ECP256_2021 method ECDSA256+SHA256
/usr/sbin/pkg: package fips-mode-x86-32-20210915.232653_builder_junos_203_x75_d30 is already installed
-
After deleting and reconfiguring the CSPs, commit is successful and the router needs
reboot to enter FIPS mode.
crypto-officer@hostname# commit
configuration check succeeds
[edit]
'system'
warning: reboot is required to transition to FIPS level 1
commit complete
[edit]
crypto-officer@hostname# run request vmhost reboot
-
After rebooting the router, FIPS self-tests will run and router enters FIPS mode.
crypto-officer@hostname:fips>
Note: Use local keyword for operational
commands in FIPS mode. For example, show version local,
and show system uptime local.
