Configuring the device as an stelnet client, Stelnet client configuration task list, Configuring fips – H3C Technologies H3C S12500-X Series Switches User Manual
Page 253: Overview, Configuration restrictions and guidelines

241
14B
Configuring FIPS
149B
Overview
Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard
and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules.
FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4", from low to high. The device
supports Level 2.
Unless otherwise noted, in this document the term "FIPS" refers to FIPS 140-2.
150B
Configuration restrictions and guidelines
When you configure FIPS, follow these restrictions and guidelines:
•
After the fips mode enable command is executed, the system prompts you to choose a reboot
method. If you do not make a choice within 30 seconds, the system uses the manual reboot method.
•
Before you reboot the device to enter FIPS mode, the system automatically removes all key pairs
configured in non-FIPS mode and all FIPS-incompliant digital certificates. FIPS-incompliant digital
certificates are MD5-based certificates with the modulus length of key pairs less than 2048 bits. You
cannot log in to the device through SSH after the device enters FIPS mode. To log in to the device
in FIPS mode through SSH, first log in to the device through a console port, and then create a key
pair for the SSH server.
•
The password for entering the device in FIPS mode must comply with the password control policies,
such as password length, complexity, and aging policy. When the aging timer for a password
expires, the system prompts you to change the password. If you adjust the system time after the
device enters FIPS mode, the login password might expire before the next login, because the
original system time is typically much earlier than the actual time.
{
If you choose the automatic reboot method, set the system time before executing the fips mode
enable command.
{
If you choose the manual reboot method, set the system time before configuring the local
username and password.
•
To use the manual reboot method, you must perform the following tasks:
a.
Save the current configuration file.
b.
Specify the current configuration file as the startup configuration file.
c.
Delete the startup configuration file in binary format.
d.
Reboot the device.
Otherwise, the commands that are not supported by FIPS mode, if they are in the configuration file,
are restored.
•
The system enters an intermediate state between when the fips mode enable command is executed
and when the system is rebooted. If you choose the manual reboot method, do not execute any
commands except for the following commands:
{
reboot.
- H3C S5560 Series Switches H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C S9800 Series Switches H3C S5130 Series Switches H3C S5120 Series Switches