Setup Guide
Enabling FIPS Mode
To enable or disable FIPS mode, use the console port.
Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual
terminal session are denied.
When you enable FIPS mode, the following actions are taken:
• If enabled, the SSH server is disabled.
• All open SSH and Telnet sessions, as well as all SCP and FTP le transfers, are closed.
• Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage.
• FIPS mode is enabled.
– If you enable the SSH server when you enter the fips mode enable command, it is re-enabled for version 2 only.
– If you re-enable the SSH server, a new RSA host key-pair is generated automatically. You can also manually create this key-pair
using the crypto key generate command.
NOTE: Under certain unusual circumstances, it is possible for the fips enable command to indicate a failure.
• This failure occurs if any of the self-tests fail when you enable FIPS mode.
• This failure occurs if there were existing SSH/Telnet sessions that could not be closed successfully in a reasonable amount of time.
In general, this failure can occur if a user at a remote host is in the process of establishing an SSH session to the local system, and
has been prompted to accept a new host key or to enter a password, but is not responding to the request. Assuming this failure is a
transient condition, attempting to enable FIPS mode again should be successful.
To enable FIPS mode, use the following command.
• Enable FIPS mode from a console port.
CONFIGURATION
fips mode enable
The following warning message displays:
WARNING: Enabling FIPS mode will close all SSH/Telnet connections, restart those servers, and
destroy all configured host keys. Proceed (y/n) ?
Generating Host-Keys
The following describes hot-key generation.
When you enable or disable FIPS mode, the system deletes the current public/private host-key pair, terminates any SSH sessions that are
in progress (deleting all the per-session encryption key information), actually enables/tests FIPS mode, generates new host-keys, and re-
enables the SSH server (assuming it was enabled before enabling FIPS).
For more information, refer to the SSH Server and SCP Commands section in the Security chapter of the Dell EMC Networking OS
Command Line Reference Guide.
Monitoring FIPS Mode Status
To view the status of the current FIPS mode (enabled/disabled), use the following commands.
• Use either command to view the status of the current FIPS mode.
show fips status
show system
FIPS Cryptography
301