You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 2
Next »
The
Unable to show "metadata-from": No such page "_space_variables"
supports FIPS 140-2 level 1 certification for its cryptographic modules. It implements FIPS 140-2 Level 1 validated cryptographic hardware modules and software tool kits and operates this module in FIPS 140-2 approved mode for all cryptographic operations.
The following changes have been made to achieve FIPS 140-2 certification:
Self-Tests- The
Unable to show "metadata-from": No such page "_space_variables"
implements cryptographic algorithms using software firmware and hardware and the modules perform various self-tests (power-up self-test, conditional self-test, and critical function self-test) to verify their functionality and correctness. If any of the tests fail, the module goes into “Critical Error” state and it disables all access to cryptographic functions and Critical Security Parameters (CSPs). The management interfaces do not respond to any commands until the module is operational. The Crypto Officer must reboot the modules to clear the error and return to normal operational mode.
Self-tests are performed only when the system is running in FIPS 140-2 mode.
The various self-tests are as follows:
- Power-Up self-tests- The
Unable to show "metadata-from": No such page "_space_variables"
performs self-tests at power-up to verify the integrity of the firmware images and the correct operation of the FIPS-approved algorithm implementation in the modules - Conditional self-tests- The
Unable to show "metadata-from": No such page "_space_variables"
implements Conditional self-tests such as Continuous Random Number Generator Tests (CRNGT), RSA Pair-wise Consistency Tests, Firmware Load Tests, and so on. - Critical function tests- The
Unable to show "metadata-from": No such page "_space_variables"
implements the SP 800-90A CTR_DRBG as it's random number generator. The SP 800-90A specification requires that certain critical functions be tested conditionally to ensure the security of the DRBG. Therefore, the critical function tests are implemented by the cryptographic modules.
FIPS Finite State Model- The following diagram demonstrates the
Unable to show "metadata-from": No such page "_space_variables"
states and state transitions that occur within the Unable to show "metadata-from": No such page "_space_variables"
:
The ability to change the FIPS 140-2 mode is reserved only for users having Administrator permissions; Administrator is a role in the
Unable to show "metadata-from": No such page "_space_variables"
that may be assigned to a Crypto Officer in a FIPS-compliant system.
- Configuration database encryption key regeneration support- The System Administrator can cause the encryption keys used to protect sensitive information in the configuration database to be regenerated.
Enabling FIPS-140-2 mode
FIPS compliant operating mode is a mode of system operation that is fully compliant with FIPS-140-2 at security level 1+. Putting the system in FIPS-140-2 operating mode requires enabling the fips-140-2 mode
parameter as well as configuring other parameters. To set the FIPS mode to enabled via CLI after logging in, the Administrator must execute the following commands:
As per FIPS 140-2 standards, Critical Security Parameters (CSPs) cannot be transferred from non-FIPS to FIPS mode. So, after enabling FIPS mode, the Operator must install new TLS certificates for EMA/PM to be operational. Sonus recommends that current encrypted parameters be backed up in plaintext, if possible. A full configuration backup should also be performed immediately after this action has successfully completed.
On SBC main screen, go to Administration > Users and Application Management > Fips-140-2. The Fips-140-2 window is displayed.
Users and Application Management - Fips-140-2
Users and Application Management - Fips-140-2
Parameter | Description |
---|
Mode
|
Once fips-140-2 mode has been enabled, it cannot be 'disabled' through configuration.
A fresh software install that discards all prior state is required to set the FIPS-140-2 mode to 'disabled'. The options are: enabled disabled (default)
|