Add_workflow_for_techpubs | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Include Page | ||||
---|---|---|---|---|
|
Warning |
---|
You must reconfigure snmpv3 before enabling FIPs mode. Failure to do so could cause the SBX SBC to crash due to excessive trap generation. Perform the following steps to reconfigure snmpv3: |
Step | Action | Comments |
---|---|---|
1 | Disable trap targets with targetSecurityLevel of authPriv or authNoPriv by issuing the commands shown here, substituting values in the angle brackets with appropriate values from your environment: admin@sbc1% show oam snmp trapTarget <trap_target_name> ipAddress <ip_address> port <port> trapType <v3> targetUsername <name> targetSecurityLevel <authPriv | authNoPriv> state enabled admin@sbc1% commit (For details on the snmp command, see SNMP - CLI and Configuring SBC for SNMP.) | |
2 | After enabling FIPs mode, you must reconfigure keys (authKey/privKey) for all snmp users. This applies to all snmp users who are used for authPriv/authNoPriv security level trap targets:admin@sbc1% set oam snmp users <targetUserName> authKey <auth_key> admin@sbc1% set oam snmp users <targetUserName> privKey <priv_key> admin@sbc1% commit | |
3 | Enable authPriv and authNoPriv trap targets: admin@sbc1% set oam snmp trapTarget <trap_target_name> state enabled |
Use the Fips-140-2 window to enable FIPS-140-2 mode.
The
Spacevars | ||
---|---|---|
|
The following changes have been made to achieve FIPS 140-2 certification:
Self-Tests- The
Spacevars | ||
---|---|---|
|
Note |
---|
Self-tests are performed only when the system is running in FIPS 140-2 mode. |
The various self-tests are as follows:
Spacevars | ||
---|---|---|
|
Spacevars | ||
---|---|---|
|
Spacevars | ||
---|---|---|
|
Spacevars | ||
---|---|---|
|
Note | ||||
---|---|---|---|---|
The ability to change the FIPS 140-2 mode is reserved only for users having Administrator permissions; Administrator is a role in the
|
Spacevars | ||
---|---|---|
|
TLS v1.1 and v1.2 support for EMA/PM and SIP/TLS- TLS v1.1 and v1.2 provide resistance to certain known attacks (e.g. the BEAST attack affecting TLS v1.0) against earlier TLS versions and offer additional cipher suites not supported with TLS v1.0.
Note | ||||
---|---|---|---|---|
Although TLS v1.0 and v1.2 are enabled by default,
|
Spacevars | ||
---|---|---|
|
Enabling FIPS-140-2 mode
FIPS compliant operating mode is a mode of system operation that is fully compliant with FIPS-140-2 at security level 1+. Putting the system in FIPS-140-2 operating mode requires enabling the fips-140-2 mode
parameter as well as configuring other parameters.
Note | ||||
---|---|---|---|---|
As per FIPS 140-2 standards, Critical Security Parameters (CSPs) cannot be transferred from non-FIPS to FIPS mode. So, after enabling FIPS mode, the Operator must install new TLS certificates for EMA/PM to be operational.
|
In Admin, select the name of the SBC system. The Edit Fips-140-2 options open.
Caption | ||||
---|---|---|---|---|
| ||||
Caption | ||||
---|---|---|---|---|
| ||||
Parameter | Description | ||
---|---|---|---|
Mode
|
The options are:
|
Reconfiguration Steps After Enabling FIPS-140-2 Mode
Code Block |
---|
admin@sbc1% set oam snmp users emstrapuser authKey Xd:aa:1f:09:75:6e:f6:da:NN:NN:NN:NN:NN:0d
admin@sbc1% set oam snmp users emstrapuser privKey Xd:aa:1f:09:75:6e:f6:da:NN:NN:NN:NN:NN:0d
admin@sbc1% commit |
2. Enable authPriv/authNoPriv trap targets:
Code Block |
---|
admin@sbc1% set oam snmp trapTarget <trap_target_IP> state enabled |