Configuring Fips; Enabling The Fips Mode; Triggering A Self-Test - HP 10500 Series Configuration Manual

If the self-test fails, the device automatically reboots.

Configuring FIPS

To configure FIPS, complete the following tasks:
1. Remove the existing key pairs and certificates.
2. Enable the FIPS mode.
3. Enable the password control function.
4. Configure local user attributes (including local username, service type, password, and so on) on
the switch.
5. Save the configuration.
After you finish the above configurations, reboot the switch. The switch works in FIPS mode that complies
with the FIPS 140-2 standard after it starts up. For Common Criteria (CC) evaluation in FIPS mode, the
switch also works in a operating mode that complies with the CC standard.
The switch does not support an upgrade from a FIPS-incompatible version to a FIPS-compatible version.
If you enable or disable the FIPS mode on an IRF fabric, restart the IRF fabric to make your configuration
take effect.
In FIPS mode, the switch does not support Telnet logins.

Enabling the FIPS mode

Step
1. Enter system view.
2. Enable the FIPS mode.
After you enable the FIPS mode and reboot the switch, the switch works in FIPS mode after it starts up and
the following changes occur.
FTP/TFTP is disabled.
•
Telnet is disabled.
•
The HTTP server is disabled.
•
• SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
The SSL server only supports TLS1.0.
•
The SSH server does not support SSHv1 clients.
•
SSH only supports RSA.
•
The generated RSA key pairs must have a modulus length of 2048 bits. The generated DSA key pair
•
must have a modulus of at least 1024 bits.
• SSH, SNMPv3, IPsec and SSL do not support DES, 3DES, RC4, or MD5.

Triggering a self-test

Task
1. Enter system view.
Command
system-view
fips mode enable
Command
system-view
296
Remarks
N/A
Disabled by default.
Remarks
N/A