Add_workflow_for_techpubs |
---|
AUTH2 | UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cd5909df, userName='null'} |
---|
AUTH1 | UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'} |
---|
JIRAIDAUTH | SBX-106273 |
---|
REV5 | UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'} |
---|
REV6 | UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'} |
---|
REV3 | UserResourceIdentifier{userKey=8a00a0c86573c09001659db4327e0018, userName='null'} |
---|
REV1 | UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb1f0553, userName='null'} |
---|
REV2 | UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26c9610287, userName='null'} |
---|
|
Include Page |
---|
| _FIPS_Releases |
---|
| _FIPS_Releases |
---|
|
Warning |
---|
You must reconfigure snmpv3 before enabling FIPs mode. Failure to do so could cause the SBC to crash due to excessive trap generation. Perform the following steps to reconfigure snmpv3: |
Reconfiguring snmpv3 For Successful FIPs Mode
Step | Action | Comments |
---|
1 | Disable trap targets with targetSecurityLevel of authPriv or authNoPriv by issuing the commands shown here, substituting values in the angle brackets with appropriate values from your environment: admin@sbc1% show oam snmp trapTarget <trap_target_name>
ipAddress <ip_address>
port <port>
trapType <v3>
targetUsername <name>
targetSecurityLevel <authPriv | authNoPriv> state enabled
Example: admin@sbc1% set oam snmp trapTarget <trap_target_name> state disabled admin@sbc1% commit (For details on the snmp command, see SNMP - CLI and Configuring SBC for SNMP.) |
|
2 | After enabling FIPs mode, you must reconfigure keys (authKey/privKey) for all snmp users. This applies to all snmp users who are used for authPriv/authNoPriv security level trap targets:
admin@sbc1% set oam snmp users <targetUserName> authKey <auth_key>
admin@sbc1% set oam snmp users <targetUserName> privKey <priv_key>
admin@sbc1% commit |
|
3 | Enable authPriv and authNoPriv trap targets: admin@sbc1% set oam snmp trapTarget <trap_target_name> state enabled |
|
Use the Fips-140-2 window to enable FIPS-140-2 mode.
...
borderColor | green |
---|
bgColor | transparent |
---|
borderWidth | 2 |
---|
Back to Table of Contents
Back to Administration
...
The
supports FIPS 140-2 level 1 certification for its cryptographic modules. It implements FIPS 140-2 Level 1 validated cryptographic hardware modules and software tool kits and operates this module in FIPS 140-2 approved mode for all cryptographic operations.The following changes have been made to achieve FIPS 140-2 certification:
...
- conditional self-tests such as Continuous Random Number Generator Tests (CRNGT), RSA Pair-wise Consistency Tests, Firmware Load Tests, and so on.
- Critical function tests- The implements the SP 800-90A CTR_DRBG as it's random number generator. The SP 800-90A specification requires that certain critical functions be tested conditionally to ensure the security of the DRBG. Therefore, the critical function tests are implemented by the cryptographic modules.
...
...
...
Note |
---|
The ability to change the FIPS 140-2 mode is reserved only for users having Administrator permissions; Administrator is a role in the that may be assigned to a Crypto Officer in a FIPS-compliant system. |
- Install/upgrade Software Integrity Check- Software updates or patches that are to be loaded onto the machine are automatically checked for integrity by validating
...
...
recommends disabling v1.0 (if possible) in favor of the more-secure TLS v1.2, if browser support (for EMA/PM) and SIP peer interoperability (for SIP/TLS) considerations permit. |
- Configuration database encryption key regeneration support- The System Administrator can cause the encryption keys used to protect sensitive information in the configuration database to be regenerated.
- SSH key regeneration support- The System Administrator can regenerate the RSA keys used by the to authenticate itself for SFTP and for CLI and netconf over ssh at any time.
Enabling FIPS-140-2 mode
FIPS compliant operating mode is a mode of system operation that is fully compliant with FIPS-140-2 at security level 1+. Putting the system in FIPS-140-2 operating mode requires enabling the fips-140-2 mode
parameter as well as configuring other parameters.
...
Note |
---|
As per FIPS 140-2 standards, Critical Security Parameters (CSPs) cannot be transferred from non-FIPS to FIPS mode. So, after enabling FIPS mode, the Operator must install new TLS certificates for EMA/PM to be operational. |
...
recommends that current encrypted parameters be backed up in |
...
plain text, if possible. A full configuration backup should also be performed immediately after this action has successfully completed.
|
To enable Fips-140-2 mode
- On the SBC main screen, go
...
...
- > Users and Application Management
...
- > Fips-140-2. The Fips-140-2 window opens.
In Admin, select the name of the SBC system. The Edit Fips-140-2
...
options open.
Caption |
---|
0 | Figure |
---|
1 | Users and Application Management - Fips-140-2 |
---|
|
Image Modified |
- Use the Mode option to enable Fips-140-2 mode.
Caption |
---|
0 | Table |
---|
1 | Users and Application Management - Fips-140-2 |
---|
|
|
...
Fips-140-2 mode has been enabled, it cannot be 'disabled' through configuration. |
|
...
A fresh software install that discards all prior state is required to set the FIPS-140-2 mode to 'disabled'. |
The options are: |
enabled
disabled (default)
- Disabled (default)
- Enabled
|
Reconfiguration Steps After Enabling FIPS-140-2 Mode
- Keys (authKey/privKey) for all snmp users must be reconfigured. This applies to all snmp users that are used for authPriv/authNoPriv security level trap targets.
Code Block |
---|
admin@sbc1% set oam snmp users emstrapuser authKey Xd:aa:1f:09:75:6e:f6:da:NN:NN:NN:NN:NN:0d
admin@sbc1% set oam snmp users emstrapuser privKey Xd:aa:1f:09:75:6e:f6:da:NN:NN:NN:NN:NN:0d
admin@sbc1% commit |
2. Enable authPriv/authNoPriv trap targets:
Code Block |
---|
admin@sbc1% set oam snmp trapTarget <trap_target_IP> state enabled |
...