In this section:
Use the procedure in this section to configure the SBC Core to operate in FIPS 140-2 compliant mode.
The SBC includes FIPS 140-2 Level 1 validated cryptographic hardware modules and software tool kits as described below. When enabled, the SBC operates these modules in FIPS 140-2 approved mode for all cryptographic operations.
To enable TLS support in Windows:
The following enhancements or changes have been made to achieve FIPS 140-2 certification:
Self-Tests – The SBC implements cryptographic algorithms using software firmware and hardware and the modules perform various self-tests (power-up self-test, conditional self-test, and critical function self-test) to verify their functionality and correctness. If any of the tests fail, the module goes into “Critical Error” state and disables all access to cryptographic functions and Critical Security Parameters (CSPs). The management interfaces do not respond to any commands until the module is operational. The Crypto Officer must reboot the modules to clear the error and return to normal operational mode.
The self-tests include:
FIPS Finite State Model – The following diagram demonstrates the SBC states and state transitions that occur within the SBC server:
TLS v1.1 and v1.2 support for EMA in Platform Mode and SIP/TLS – TLS v1.1 and v1.2 provide resistance to certain known attacks (e.g. the BEAST attack affecting TLS v1.0) against earlier TLS versions and offer additional cipher suites not supported with TLS v1.0.
FIPS compliant operating mode is fully compliant with FIPS-140-2 at security level 1+. Putting the SBC system in FIPS-140-2 operating mode requires enabling the fips-140-2 mode
parameter as well as configuring other parameters.
Perform the following steps to set the FIPS-140-2 mode using CLI:
Switch to configure private mode, using the command:
> configure private
Execute the following commands:
% set profiles security tlsProfile defaultTlsProfile v1_0 disabled v1_1 disabled v1_2 enabled % set profiles security EmaTlsProfile defaultEmaTlsProfile v1_0 disabled v1_1 disabled v1_2 enabled % set oam snmp version v3only % set system admin <system name> fips-140-2 mode enabled % commit
where setting fips-140-2 mode to enabled accomplishes the following actions:
• regenerates all SSH keys
• regenerates encryption keys used by the system configuration database
• zeroizes (e.g. securely erases) all persistent CSPs from the system and cause server to reboot after confirmation.
To view the FIPS administrative state, global SIP Signaling Controls, EmaTlsProfile and TLS profile settings, use the 'show' command as depicted in the following examples:
% show system admin MYSBC fips-140-2 mode enabled; % show profiles security EmaTlsProfile defaultEmaTlsProfile ... ... v1_0 disabled; v1_1 disabled; v1_2 enabled; % show profiles security tlsProfile defaultTlsProfile appAuthTimer 5; handshakeTimer 5; sessionResumpTimer 3600; cipherSuite1 rsa-with-aes-128-cbc-sha; allowedRoles clientandserver; v1_0 disabled; v1_1 disabled; v1_2 enabled;
To view FIPS finite state machine state, exit back to system mode and execute 'show table system fipsFSMState' command as in the following example:
% exit [ok][2013-08-20 22:28:26] > show table system fipsFSMState INDX STATE TIME STAMP ISSUER MESSAGE ---------------------------------------------------------------------------- 0 selftest Wed Aug 14 16:51:36 IST 2013 fipsPost executing POST 1 poweroff Wed Aug 14 16:48:37 IST 2013 fipsPost halt or reboot 2 operational Wed Aug 14 16:47:57 IST 2013 fipsPost POST Complete
Using the EMA menu bar, navigate to All > Profiles > Security > TLS Profile. The TLS Profile window is displayed, with the TLS Profile List pane. Select the radio button corresponding to the defaultTlsProfile
.
The Edit Selected TLS Profile pane is displayed. Set the fields V1_0
and V1_1
to Disabled
. Set the field V1_2
to Enabled
. Click Save to save the changes.
Using the EMA menu bar, navigate to All > Profiles > Security > EMA TLS Profile. The EMA TLS Profile window is displayed, with the EMA TLS Profile List pane. Select the radio button corresponding to the defaultEmaTlsProfile
.
The Edit Selected EMA TLS Profile pane is displayed. Set the fields V1_0
and V1_1
to Disabled
. Set the field V1_2
to Enabled
. Click Save to save the changes.
Using the EMA menu bar, navigate to All > OAM > Snmp. The Snmp window is displayed, with the Edit Snmp pane. Set the Version
field to V3only
. Click Save to save the changes.
Login through the CLI, and execute the following command:
% set system admin <system_name> fips-140-2 mode enabled % commit
To restore service to the EMA in Platform Mode in FIPS mode, CA certificates and newly-generated SBC certificate must be imported using CLI.
Use this procedure to import up to three CA certificates.
> configure private % set system security pki certificate caCert fileName caCert.der state enabled type remote % set profiles security EmaTlsProfile defaultEmaTlsProfile ClientCaCert caCert % commit
The SBC provides a means to import SBC certificates generated with two different methods.
Use this procedure to import externally-generated SBC key and certificate in PKCS#12 format.
Install certificate. For example, certificate "sbxCert.p12" with passPhrase "sonus".
> configure private % set system security pki certificate sbxCert fileName sbxCert.p12 passPhrase sonus state enabled type local % set profiles security EmaTlsProfile defaultEmaTlsProfile serverCertName sbxCert
NOTE:
If the server and the client certificates are not getting installed, it is often due to presence of old certificates. In that case, delete the old/existing certificates and then install the new ones. To delete the old/existing certificates and install the new certificates, execute the following steps:
caCert.der
and sbxCert.p12
to /opt/sonus/external/
in both active and standby node of a High Availability (HA) configuration of a SBC.Execute the following commands in the configure private
mode:
% delete profiles security EmaTlsProfile defaultEmaTlsProfile serverCertName % delete profiles security EmaTlsProfile defaultEmaTlsProfile ClientCaCert % set system security pki certificate sbxCert state disabled % set system security pki certificate caCert state disabled % delete system security pki certificate caCert % delete system security pki certificate sbxCert % set system security pki certificate caCert fileName caCert.der state enabled type remote % set profiles security EmaTlsProfile defaultEmaTlsProfile ClientCaCert caCert % set system security pki certificate sbxCert fileName sbxCert.p12 passPhrase sonus state enabled type local % set profiles security EmaTlsProfile defaultEmaTlsProfile serverCertName sbxCert
Commit the commands after each step to make the changes effective and available for the next command.
Use this procedure to generate SBC key and CSR locally in SBC, and then re-import as PEM externally-signed cert.
Generate CSR:
> configure private % set system security pki certificate sbxCert type local-internal % commit % exit > request system security pki certificate sbxCert generateCSR keySize keySize2K csrSub "/C=US/ST=MA/L=Westford/O=Sonus Networks Inc./CN=www.sonusnet.com"
Install certificate.
> configure private % set system security pki certificate sbxCert fileName sbxCert.pem % set profiles security EmaTlsProfile defaultEmaTlsProfile serverCertName sbxCert % commit
Use this procedure to set appropriate EMA in Platform Mode client authentication method.
For example, to use either username/password login or PKI certificate based authentication, execute the following commands:
> configure private % set oam ema clientAuthMethod usernamePasswordOrPkiCert % commit