You must reconfigure SNMPv3 before enabling FIPs mode. Failure to do so could cause the SBC to crash due to excessive trap generation. Perform the following steps to reconfigure snmpv3.
The SBC releases 7.2.x and 10.1.3 are compliant with FIPS-140-2 and FIPS-140-3, respectively. To verify the current status of FIPS certification, contact the Global Support Assistance Center:
Ribbon Support Portal: https://ribboncommunications.com/services/ribbon-support-portal
Voice: +1-833-RIBBON1 (1-833-742-2661)
Reconfiguration Step Before Enabling FIPS-140-3 Mode
You must disable all trap targets with authPriv/authNoPriv securityLevel.
Example:
admin@sbc1% show oam snmp trapTarget EMS_-10.54.71.176 ipAddress 10.54.71.176; port 162; trapType v3; targetUsername emstrapuser; targetSecurityLevel authPriv; state enabled; admin@sbc1% set oam snmp trapTarget EMS_-10.54.71.176 state disabled admin@sbc1% commit
Enable FIPS-140-3 mode
The
The following activities were made to achieve FIPS-140-3 certification:
Self-Tests – The
Unable to show "metadata-from": No such page "_space_variables"implements cryptographic algorithms using software firmware and hardware and the modules perform various self-tests (power-up self-test, conditional self-test, and critical function self-test) to verify their functionality and correctness. If any of the tests fail, the module goes into “Critical Error” state and it disables all access to cryptographic functions and Critical Security Parameters (CSPs). The management interfaces do not respond to any commands until the module is operational. The Crypto Officer must reboot the modules to clear the error and return to normal operational mode.Self-tests are performed only when the system is running in FIPS-140-3 mode.
The various self-tests are as follows:- Power-Up self-tests – The Unable to show "metadata-from": No such page "_space_variables"performs self-tests at power-up to verify the integrity of the firmware images and the correct operation of the FIPS-approved algorithm implementation in the modules
- Conditional self-tests – The Unable to show "metadata-from": No such page "_space_variables"implements conditional self-tests such as Continuous Random Number Generator Tests (CRNGT), RSA Pair-wise Consistency Tests, Firmware Load Tests, and so on.
- Critical function tests – The Unable to show "metadata-from": No such page "_space_variables"implements the SP 800-90A CTR_DRBG as it's random number generator. The SP 800-90A specification requires that certain critical functions are conditionally tested to ensure the security of the DRBG. Therefore, the critical function tests are implemented by the cryptographic modules.
- Power-Up self-tests – The
FIPS Finite State Model-
The ability to change the FIPS-140-3 mode is reserved only for users having Administrator permissions; the Administrator is a role in the
Unable to show "metadata-from": No such page "_space_variables"that may be assigned to a Crypto Officer in a FIPS-compliant system.- Install/upgrade Software Integrity Check – Software updates or patches to load onto the machine are automatically checked for integrity by validating Unable to show "metadata-from": No such page "_space_variables"provided signature file for the particular package. (Refer to the install/upgrade guide). A failure in validation causes the installation/upgrade to abort.
TLS v1.1 and v1.2 support for EMA/PM and SIP/TLS- TLS v1.1 and v1.2 provide resistance to certain known attacks (e.g. the BEAST attack affecting TLS v1.0) against earlier TLS versions and offer additional cipher suites not supported with TLS v1.0.
Although TLS v1.0 and v1.2 are enabled by default,
Unable to show "metadata-from": No such page "_space_variables"recommends disabling v1.0 (if possible) in favor of the more-secure TLS v1.2, if browser support (for EMA/PM) and SIP peer interoperability (for SIP/TLS) considerations permit.
- Configuration database encryption key regeneration support – The System Administrator can cause the encryption keys used to protect sensitive information in the configuration database to regenerate.
- SSH key regeneration support – The System Administrator can regenerate the RSA keys used by the Unable to show "metadata-from": No such page "_space_variables"to authenticate itself for SFTP and for CLI and netconf over ssh at any time.
- Enabling FIPS-140-3 mode
The FIPS compliant operating mode is a mode of system operation that is fully compliant with FIPS-140-3 at security level 1+. Putting the system in FIPS-140-3 operating mode requires enabling theFIPS-140-3 mode
parameter as well as configuring other parameters.
To enable FIPS-140-3 mode
- On the SBC main screen, go to Administration > Users and Application Management > FIPS-140-3.
The FIPS-140-3 window opens. In Admin, select the name of the SBC system.
The Edit FIPS-140-3 options open.- Use the Mode option to enable FIPS-140-3 mode.
Parameter | Description |
---|---|
Mode
| The FIPS-140-3 mode. Once you enable FIPS-140-3 mode, you cannot disable it through the configuration. A fresh software install (that discards all prior states) is required to set the FIPS-140-3 mode to 'disabled'. The options are:
|
Reconfiguration Steps After Enabling FIPS-140-3 Mode
After enabling FIPS-140-3, you must reconfigure the keys (authKey/privKey) for all SNMP users (this applies to all SNMP users for authPriv/authNoPriv security level trap targets).
Use the following CLI commands to reconfigure the keys:
admin@sbc1% set oam snmp users emstrapuser authKey Xd:aa:1f:09:75:6e:f6:da:NN:NN:NN:NN:NN:0d admin@sbc1% set oam snmp users emstrapuser privKey Xd:aa:1f:09:75:6e:f6:da:NN:NN:NN:NN:NN:0d admin@sbc1% commit
Enable the authPriv/authNoPriv trap targets:
admin@sbc1% set oam snmp trapTarget <trap_target_IP> state enabled
The ability to change the FIPS-140-3 mode is reserved only for users having Administrator permissions; the Administrator is a role in the