Configuring fips, Prerequisites, Enabling fips mode – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

345

Configuring FIPS

After you enable FIPS mode, the system has strict security requirements, and performs self-test on
cryptography modules to make sure that they work normally.

Prerequisites

Before enabling FIPS mode, complete the following tasks:

•

Configure the login username and password. The password must comprise no less than 6
characters and must contain uppercase and lowercase letters, digits, and special characters.

•

Delete all MD5-based digital certificates.

•

Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.

Enabling FIPS mode

IMPORTANT:

To enable both FIPS mode and password control, enable FIPS mode first and then password control. To
disable both of them, disable password control first and then FIPS mode. Otherwise, the router cannot

reboot.

After enabling FIPS mode, you must restart the device to validate the configuration.
To enable FIPS mode:

Step Command

Remarks

1.

Enter system view.

system-view N/A

2.

Enable FIPS mode.

fips mode enable

Required.
Not enabled by default.

After you enable FIPS mode and restart the device, the following changes occur:

•

The FTP/TFTP server is disabled.

•

The Telnet server is disabled.

•

The HTTP server is disabled.

•

SNMP v1 and SNMP v2c are disabled. Only SNMP v3 is available.

•

The SSL server only supports TLS1.0.

•

The SSH server does not support SSHv1 clients.

•

Generated RSA/DSA key pairs have a modulus length from 1024 to 2048 bits.

•

SSH, SNMPv3, IPsec and SSL do not support DES, RC4, or MD5.

Triggering a self-test

Task Command

Remarks

Trigger a self-test.

fips self-test

Required