Configuration changes in fips mode – H3C Technologies H3C S12500-X Series Switches User Manual
Page 255
243
4.
Add a local user account for device management, including the following items:
{
A username.
{
A password that complies with the password control policies as described in step
939H
2
and step
940H
3
.
{
A user role of network-admin or mdc-admin.
{
A service type of terminal.
5.
Delete the FIPS-incompliant local user service types Telnet and FTP.
6.
Enable FIPS mode.
7.
Select the manual reboot method.
8.
Save the configuration file and specify it as the startup configuration file.
9.
Delete the startup configuration file in binary format (an .mdb file).
10.
Reboot the device.
The system enters FIPS mode. You can use the configured username and password to log in to the
device in FIPS mode.
To enable FIPS mode:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable FIPS mode.
fips mode enable
By default, the FIPS mode is
disabled.
327B
Configuration changes in FIPS mode
When the system enters FIPS mode, the following system changes occur:
•
The user login authentication mode can only be scheme.
•
The FTP/TFTP server and client are disabled.
•
The Telnet server and client are disabled.
•
SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
•
The SSH server does not support SSHv1 clients and DSA key pairs.
•
The generated RSA and DSA key pairs must have a modulus length of 2048 bits.
When the device acts as a server to authenticate a client through public keys, the key pairs for the
client must also have a modulus length of 2048 bits.
•
SSH, SNMPv3, and IPsec do not support DES, 3DES, RC4, and MD5.
•
The password control function cannot be disabled globally. The undo password control enable
command does not take effect.
•
The keys must contain at least 15 characters and 4 compositions of uppercase and lowercase letters,
digits, and special characters. This requirement applies to the following passwords (the last two
passwords are used for password control):
{
AAA server's shared key.
{
IKE per-shared key.
{
SNMPv3 authentication key.
{
Password for a device management local user.
- H3C S5560 Series Switches H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C S9800 Series Switches H3C S5130 Series Switches H3C S5120 Series Switches