Enabling FIPS Mode

FIPS mode is not automatically enabled when you install Junos OS on the device.

As Security Administrator, you must explicitly enable FIPS mode on the device by setting the FIPS level to 1 (one), the FIPS 140-3 level at which the devices are certified. A device on which FIPS mode is not enabled has a FIPS level of 0 (zero).

Note:

To transition to FIPS mode, passwords must be encrypted with a FIPS-compliant hash algorithm. The encryption format must be SHA-256 or higher. Passwords that do not meet this requirement, such as passwords that are hashed with MD5, must be reconfigured or removed from the configuration before FIPS mode can be enabled.

To enable FIPS mode in Junos OS on the device:

The fips-mode.tgz is an optional package needed for enabling FIPS. This package is part of Junos OS software. To enable this package, use below command:

Enter configuration mode:

Enable FIPS mode on the device by setting the FIPS level to 1, and verify the level:

Commit the configuration:
Note:
If the device terminal displays error messages about the presence of critical security parameters (CSPs), delete those CSPs, and then commit the configuration.

Reboot the device:

During the reboot, the device runs Known Answer Tests (KATS). It returns a login prompt:

Note:

The new hash algorithm affect only those passwords that are generated after commit.

Reboot the device again to restore the HMAC-DRBG as an active random adapter:
During the reboot, the device runs Known Answer Tests (KATS) as shown in the step 4. It returns a login prompt:

After the reboot has completed, log in and use the show version local command to verify.

Note:

Use “local” keyword for operational commands in FIPS mode. For example, show version local, and show system uptime local.