Enabling FIPS Mode
FIPS mode is not automatically enabled when you install Junos OS on the device.
As Security Administrator, you must explicitly enable FIPS mode on the device by setting the FIPS level to 1 (one), the FIPS 140-3 level at which the devices are certified. A device on which FIPS mode is not enabled has a FIPS level of 0 (zero).
To transition to FIPS mode, passwords must be encrypted with a FIPS-compliant hash algorithm. The encryption format must be SHA-256 or higher. Passwords that do not meet this requirement, such as passwords that are hashed with MD5, must be reconfigured or removed from the configuration before FIPS mode can be enabled.
To enable FIPS mode in Junos OS on the device:
- Enter configuration mode:
root@host> configure Entering configuration mode [edit] root@host#
-
Enable FIPS mode on the device by setting the FIPS level to 1, and verify the
level:
[edit] root@host# set system fips level 1
[edit] root@host#show system fips { level 1; }
- Commit the configuration: Note:
If the device terminal displays error messages about the presence of critical security parameters (CSPs), delete those CSPs, and then commit the configuration.
root@host# commit configuration check succeeds [edit] 'system' reboot is required to transition to FIPS level 1 commit complete
-
Reboot the device:
[edit] root@host# run request system reboot Reboot the system ? [yes,no] (no) yes
During the reboot, the device runs Known Answer Tests (KATS). It returns a login prompt:
Note:The new hash algorithm affect only those passwords that are generated after commit.
@ 1556787428 mgd start Creating initial configuration: ... mgd: Running FIPS Self-tests mgd: Testing kernel KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-384 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: AES128-CMAC Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: Testing MACSec KATS: mgd: AES128-CMAC Known Answer Test: Passed mgd: AES256-CMAC Known Answer Test: Passed mgd: AES-ECB Known Answer Test: Passed mgd: AES-KEYWRAP Known Answer Test: Passed mgd: KBKDF Known Answer Test: Passed mgd: Testing libmd KATS: mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: Testing OpenSSL v1.0.2 KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: FIPS ECDSA Known Answer Test: Passed mgd: FIPS ECDH Known Answer Test: Passed mgd: FIPS RSA Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-SSH-SHA256 Known Answer Test: Passed mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Known Answer Test: Passed mgd: KAS-FFC-EPHEM-NOKC Known Answer Test: Passed mgd: Testing OpenSSL KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: FIPS ECDSA Known Answer Test: Passed mgd: FIPS ECDH Known Answer Test: Passed mgd: FIPS RSA Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-SSH-SHA256 Known Answer Test: Passed mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Known Answer Test: Passed mgd: KAS-FFC-EPHEM-NOKC Known Answer Test: Passed mgd: Testing QuickSec 7.0 KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: SSH-ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing QuickSec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing SSH IPsec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: Testing file integrity: mgd: File integrity Known Answer Test: Passed mgd: Testing crypto integrity: mgd: Crypto integrity Known Answer Test: Passed
Log in to the device. The CLI displays a banner that is followed by a prompt that includes “:fips”:
--- JUNOS 22.3R1-20190716 built 2019-12-29 04:12:22 UTC root@host:fips>
-
Reboot the device again to restore the HMAC-DRBG as an active random adapter:
[edit] root@host# run request system reboot Reboot the system ? [yes,no] (no) yes
During the reboot, the device runs Known Answer Tests (KATS) as shown in the step 4. It returns a login prompt:
--- JUNOS 22.3R1-20190716 built 2019-12-29 04:12:22 UTC root@host:fips>
- After the reboot has completed, log in and use the
show version local
command to verify.
Use “local” keyword for operational commands
in FIPS mode. For example, show version local
, and show system uptime local
.