In this section:
You must reconfigure SNMPv3 before enabling FIPs mode. Failure to do so could cause the SBC to crash due to excessive trap generation. Perform the following steps to reconfigure snmpv3. Modified: for 12.1.4 FIPS-140-2 is not supported in SBC 10.1.3 and later releases, and it is automatically converted to FIPS-140-3 as part of the upgrade. To verify the current status of FIPS certification, contact the Global Support Assistance Center: Changing the FIPS 140-3 mode is reserved for users with Administrator permissions. The Administrator is a role in the SBC that is assignable to a Crypto Officer in a FIPS-compliant system. You must disable all trap targets with authPriv/authNoPriv securityLevel. Example: The SBC Core is compliant with the FIPS-140-3 level 1 certification for its cryptographic modules. It implements FIPS-140-3 Level 1 validated cryptographic hardware modules and software tool kits and operates this module in FIPS-140-3 approved mode for all cryptographic operations. The following activities were made to achieve FIPS-140-3 certification: Self-Tests – The SBC implements cryptographic algorithms using software firmware and hardware and the modules perform various self-tests (power-up self-test, conditional self-test, and critical function self-test) to verify their functionality and correctness. If any of the tests fail, the module goes into “Critical Error” state and it disables all access to cryptographic functions and Critical Security Parameters (CSPs). The management interfaces do not respond to any commands until the module is operational. The Crypto Officer must reboot the modules to clear the error and return to normal operational mode. Self-tests are performed only when the system is running in FIPS-140-3 mode. The various self-tests are as follows: FIPS Finite State Model The ability to change the FIPS 140-3 mode is reserved only for users having Administrator permissions; the Administrator is a role in the SBC that may be assigned to a Crypto Officer in a FIPS-compliant system. TLS v1.1 and v1.2 support for EMA/PM and SIP/TLS- TLS v1.1 and v1.2 provide resistance to certain known attacks (e.g. the BEAST attack affecting TLS v1.0) against earlier TLS versions and offer additional cipher suites not supported with TLS v1.0. Although TLS v1.0 and v1.2 are enabled by default, Ribbon recommends disabling v1.0 (if possible) in favor of the more-secure TLS v1.2, if browser support (for EMA/PM) and SIP peer interoperability (for SIP/TLS) considerations permit. Enabling FIPS-140-3 mode As per FIPS 140-3 standards, Critical Security Parameters (CSPs) are not transferrable from non-FIPS to FIPS mode. So, after enabling FIPS mode, the Operator must install new TLS certificates to set the EMA/PM as operational. Ribbon recommends to back up the current encrypted parameters in plain text, if possible, as well as perform a full configuration backup immediately after this action successfully completes. In Admin, select the name of the SBC system. The FIPS-140-3 mode. Once you enable FIPS-140-3 mode, you cannot disable it through the configuration. A fresh software install (that discards all prior states) is required to set the FIPS-140-3 mode to 'disabled'. Modified: for 12.1.2 The following restrictions are applied when you enable the FIPS-140-3 mode: Perform the pre-upgrade checks before proceeding with the upgrade. For more information, refer to the section "Perform Pre-Upgrade Checks" in System Administration - Software Install-Upgrade. FIPS-140-2 is not supported in SBC 10.1.3 and later releases, and it is automatically converted to FIPS-140-3 as part of the upgrade. To verify the current status of FIPS certification, contact the Global Support Assistance Center: After enabling FIPS-140-3, you must reconfigure the keys (authKey/privKey) for all SNMP users (this applies to all SNMP users for authPriv/authNoPriv security level trap targets). Use the following CLI commands to reconfigure the keys: Enable the authPriv/authNoPriv trap targets:Reconfiguration Step Before Enabling FIPS-140-3 Mode
admin@sbc1% show oam snmp trapTarget EMS_-10.54.71.176
ipAddress 10.54.71.176;
port 162;
trapType v3;
targetUsername emstrapuser;
targetSecurityLevel authPriv;
state enabled;
admin@sbc1% set oam snmp trapTarget EMS_-10.54.71.176 state disabled
admin@sbc1% commit
Enabling FIPS-140-3 Mode
The FIPS compliant operating mode is a mode of system operation that is fully compliant with FIPS-140-3 at security level 1+. Putting the system in FIPS-140-3 operating mode requires enabling the FIPS-140-3 mode
parameter as well as configuring other parameters. To Enable FIPS-140-3 Mode
The FIPS-140-3 window opens.
The Edit FIPS-140-3 options open.Parameter Description Mode FIPS Mode Security Restrictions
For example, openssl3 pkcs12 -certpbe AES-256-CBC -keypbe AES-256-CBC -export -out cert.p12 -inkey cert.key -in cert.pem -passout pass:password.
$FIPS_OPEN_SSL_SH pkcs12 -nodes -in <p12-cert-file-path> -info -password pass:<password> | grep -i pbe
Note: Ensure that the output does not contain TripleDES
.Reconfiguration Steps After Enabling FIPS-140-3 Mode
admin@sbc1% set oam snmp users emstrapuser authKey Xd:aa:1f:09:75:6e:f6:da:NN:NN:NN:NN:NN:0d
admin@sbc1% set oam snmp users emstrapuser privKey Xd:aa:1f:09:75:6e:f6:da:NN:NN:NN:NN:NN:0d
admin@sbc1% commit
admin@sbc1% set oam snmp trapTarget <trap_target_IP> state enabled
Set up the following configurations on the SBC in a JITC/FIPS-enabled environment for the TLS communication.
To enable FIPS in the SBC:
Run the following command:
conf set profiles security tlsProfile defaultTlsProfile v1_1 enabled co set profiles security tlsProfile defaultTlsProfile v1_0 disabled co set profiles security tlsProfile defaultTlsProfile v1_2 enabled co set profiles security tlsProfile defaultTlsProfile v1_1 disabled co set profiles security EmaTlsProfile defaultEmaTlsProfile v1_0 disabled v1_1 disabled v1_2 enabled co set oam snmp version v3only co set profiles security ikeProtectionProfile AesSha1IkeProfile algorithms dhGroup modp2048 co set system admin vsbcSystem fips-140-2 mode enabled co
To configure the RAMP supported ciphersuites on the SBC:
Run the following command:
conf set profiles security EmaTlsProfile defaultEmaTlsProfile ciphersuite AES256-SHA256 set profiles security EmaTlsProfile defaultEmaTlsProfile ciphersuite AES128-SHA256 set profiles security EmaTlsProfile defaultEmaTlsProfile ciphersuite ECDHE-RSA-AES256-SHA set profiles security EmaTlsProfile defaultEmaTlsProfile ciphersuite ECDHE-RSA-AES256-GCM-SHA384 set profiles security EmaTlsProfile defaultEmaTlsProfile ciphersuite ECDHE-RSA-AES128-GCM-SHA256 set profiles security EmaTlsProfile defaultEmaTlsProfile ciphersuite ECDHE-RSA-AES256-SHA384 set profiles security EmaTlsProfile defaultEmaTlsProfile ciphersuite ECDHE-RSA-AES128-SHA256 set profiles security EmaTlsProfile defaultEmaTlsProfile ciphersuite ECDHE-RSA-AES128-SHA commit