Enabling fips mode, Fips self-tests, Power-up self-tests – H3C Technologies H3C SecPath F1000-E User Manual

259

Enabling FIPS mode

IMPORTANT:

To enable both FIPS mode and password control, enable FIPS mode first and then password control. To
disable both of them, disable password control first and then FIPS mode. Otherwise, the router cannot

reboot.

After enabling FIPS mode, you must restart the device to make your configuration take effect.
To enable FIPS mode:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable FIPS mode.

fips mode enable

Disabled by default

After you enable FIPS mode and restart the device, the following changes occur:

•

The FTP/TFTP server is disabled.

•

The Telnet server is disabled.

•

The HTTP server is disabled.

•

SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.

•

The SSL server only supports TLS1.0.

•

The SSH server does not support SSHv1 clients.

•

The SSH supports only RSA.

•

RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs must have a modulus
length of at least 1024 bits.

•

SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, 3DES, or MD5.

FIPS self-tests

When the device operates in FIPS mode, it has self-test mechanisms, including the power-up self-test and
conditional self-tests, to ensure the normal operation of cryptography modules. You can also trigger a

self-test. If a self-test fails, the device restarts.

Power-up self-tests

The power-up self-tests, also called "known-answer tests", examine the availability of FIPS-allowed

cryptographic algorithms. A cryptographic algorithm runs on data for which the correct output is already

known. The calculated output is compared with the known answer. If they are not identical, the
known-answer test fails.
The power-up self-test includes the following types described in

Table 58

.