Manualshelf

User guide

ManualsBrandsAlcatel ManualsComputer equipmentOmniSwitch AOS Release 7
31323334353637383940
Enabling the FIPS mode Logging Into the Switch
page 1-20 OmniSwitch AOS Release 8 Switch Management Guide May 2014
The FIPS mode is enabled/disabled only with a reboot of the switch.
The SNMPv3 module as well as all switch management protocols such as SFTP, HTTP, SSH, and SSL
use the FIPS 140-2 compliant encryption algorithms.
FIPS Specifications
Quick Steps for Configuring FIPS mode
Prior to enabling the FIPS mode of communication, complete the following pre-requisites.
The SSH/SFTP/SSL/SNMPv3 clients should support the secure FIPS standard cryptographic
algorithms to communicate with an OmniSwitch device on FIPS mode.
SNMPv3 communications in the FIPS mode supports SHA+AES. Session establishment with MD5 or
DES should be rejected.
User-specific certificates/ keys have to be generated using FIPS compliant cryptographic
algorithms. There are no checks in the OpenSSL module to verify the FIPS compliance of the
certificate/keys in the flash.
When takeover happens, management sessions with the old Primary will be disconnected. User will
have to reconnect to the new Primary.
The following procedure is used to configure the FIPS mode on the switch:
1 Enable the FIPS mode on an OmniSwitch using the following command.
-> system fips admin-state enable
WARNING: FIPS Admin State only becomes Operational after write memory and reload
2 Reboot the system, an reconfirmation message is displayed. Type “Y” to confirm reload.
-> reload from working no rollback-timeout
-> Confirm Activate (Y/N) : y
3 Use the show system fips to view the configured and running status of the FIPS mode on the Switch.
-> show system fips
Admin State: Enabled
Oper State: Enabled
4 Disable insecure management interfaces such as Telnet/ FTP manually after FIPS mode is enabled to
achieve a complete secure device.
5 Configure a user-id and password.
-> user snmpadmin password trustsha+aes sha+aes
Client To access an OmniSwitch in FIPS mode, a FIPS
supported client is required. For Example, Absolute
Telnet.
Platforms Supported OmniSwitch 6860, 6860E
Access types SSH, SFTP, HTTP, SNMPV3