|
|
This chapter describes how to use the Secure Content Accelerator in FIPS Mode for FIPS 140-2-compliant operation. This chapter contains the following sections:
The Secure Content Accelerator configuration manager is used in FIPS-Compliant Mode ("FIPS Mode") to create and configure FIPS-compliant servers. When operating in FIPS Mode, the Secure Content Accelerator supports FIPS-compliant security. Among the FIPS-compliant features of the Secure Content Accelerator are the following:
 |
Caution To ensure the security of SSL sessions, you must use your own keys and certificates. The default keys and certificates preloaded on the device are intended for testing purposes only. |
FIPS Mode acts as a filtering system, allowing only FIPS Level 2-compliant SSL objects to be used for data transfer. Entering FIPS Mode is a two-step process: starting the FIPS Mode process and rebooting the device in FIPS Mode.
1. Connect to the device using a serial management session and enter Privileged Mode.
SCA> enable
SCA#
2. Enable FIPS operation.
SCA# fips enable
3. A caution is displayed. Read the text carefully before replying to it.
Enabling FIPS mode will cause a restart of the device.
Entering FIPS mode will also change the behavior of the device.
Only FIPS-approved algorithms are supported.
Only FIPS-compliant servers can be used.
Management is available only via the serial console.
Passwords must be at least eight characters long.
Firmware signature verification is enabled.
Some commands are not supported.
Are you sure you want to do this? (y/n) [n]
4. The Secure Content Accelerator checks access- and enable-level passwords previously set, if any. The display reflects the state of current passwords:
 |
Note FIPS Mode passwords must be at least eight characters in length and are limited to a character set containing the alphabet, Arabic numerals, period (.), hyphen (-), underscore (_), and !@#$%^&*+=[]{};:<>?~ . |
a. If no passwords had been set previously, this text is displayed:
You need to provide an access-level password of at least 8 characters.
Enter new password:
Confirm password:
You need to provide an enable-level password of at least 8 characters.
Enter new password:
Confirm new password:
|
Note Passwords are not echoed to the screen. These passwords are not FIPS-specific and are prompted for when the device is used in normal operation. |
b. If the previously set access-level password is not appropriate for FIPS Mode operation, the following text is displayed:
Your current access-level password is not valid for FIPS mode.
You need to provide an access-level password of at least 8 characters.
Enter new password:
Confirm password:
c. If the previously set enable-level password is not appropriate for FIPS Mode operation, the following text is displayed:
Your current enable-level password is not valid for FIPS mode.
You need to provide an access-level password of at least 8 characters.
Enter new password:
Confirm password:
d. If both the previously set access- and enable-level passwords are valid for FIPS Mode operation, no additional text is displayed.
5. The device reboots and enters FIPS Mode. Enter the access-level password to control the device.
Enter the access-level password:
6. Use the enable-level password to enter Privileged Mode.
Enter the enable-level password:
Creating and configuring server operations in FIPS Mode are nearly identical to those in normal operational modes. The differences are the following:
Follow the steps below to create a FIPS-compliant server.
1. Connect to the Secure Content Accelerator using a serial management session, and enter Privileged, Configuration, and SSL Modes. Create a secure server named mySecServ.
[FIPS] SCA> enable
[FIPS] SCA# config
[FIPS] config[SCA]# ssl
[FIPS] ssl-config[SCA]# server mySecServ create
[FIPS] ssl-server[mySecServ]#>
2. Assign an IP address, key, certificate, and FIPS-compliant security policy.
[FIPS] ssl-server[mySecServ]#> ip address 10.1.114.30
[FIPS] ssl-server[mySecServ]#> key myOwnKey
[FIPS] ssl-server[mySecServ]#> cert myOwnCert
[FIPS] ssl-server[mySecServ]#> secpolicy fips
[FIPS] ssl-server[mySecServ]#>
3. Exit to Top Level Mode.
[FIPS] ssl-server[mySecServ]#> finished
[FIPS] SCA#
You can create a security policy containing only the FIPS-approved algorithm you want to use. The following example demonstrates creating a security policy containing on the 3DES/SHA algorithm and editing a secure server to use the new user-defined security policy rather than the FIPS security policy.
1. Connect to the Secure Content Accelerator using a serial management session, and enter Privileged, Configuration, and SSL Modes. Create a security policy named myFIPS.
[FIPS] SCA> enable
[FIPS] SCA# config
[FIPS] config[SCA]# ssl
[FIPS] ssl-config[SCA]# secpolicy myFIPS create
[FIPS] ssl-secpolicy[myFIPS]#>
2. Specify the 3DES/SHA cryptographic algorithm, and return to SSL Configuration Mode.
[FIPS] ssl-secpolicy[myFIPS]#> crypto DES-CBC3-SHA
[FIPS] ssl-secpolicy[myFIPS]#> exit
[FIPS] ssl-config[SCA]#>
3. Enter Server Configuration Mode to edit the configuration of the server mySecServ to use the myFIPS security policy rather than the previously specified FIPS security policy.
[FIPS] ssl-config[SCA]#> server mySecServ
[FIPS] ssl-server[mySecServ]#> secpolicy myFIPS
[FIPS] ssl-server[mySecServ]#>
4. Exit to Top Level Mode.
[FIPS] ssl-server[mySecServ]# finished
[FIPS] SCA#
When the device is operated in FIPS Mode, some commands are unavailable or behave differently than in normal operating modes.
Commands are unavailable in FIPS Mode are shown in Table 6-1, below.
| Operational Mode | Command |
|---|---|
Top Level Mode | attach, attach ip, discover, group, show device list, show group, show profile, show remote-management, show telnet, show web-mgmt, write file |
Group Configuration Mode | Group Configuration Mode is unavailable. |
Configuration Mode | remote-management access-list, remote-management enable, remote-management encryption, remote-management port, remote-management shared-secret, telnet access-list, telnet enable, telnet port, web-mgmt access-list, web-mgmt enable, web-mgmt port |
Some commands behave differently while the Secure Content Accelerator is in FIPS Mode. These commands and notes about their usage are presented in Table 6-2, below.
| Mode | Command | Notes |
|---|---|---|
Top Level Mode | show device | Settings are not displayed for telnet, remote access, and Web management. The device type area indicates the Secure Content Accelerator is in FIPS Mode. When the Secure Content Accelerator is removed from FIPS Mode, all settings existing before entering FIPS Mode are retained with the exception of changes made while in FIPS Mode. |
| show ssl | SSL information includes objects that are not FIPS-compliant, such as security policies other than FIPS or those containing non-FIPS-compliant algorithms. |
| show ssl secpolicy | Information can be shown for individual, non-FIPS-compliant security policies. |
| show ssl server | Information can be shown for all servers. All non-FIPS-compliant servers are disabled by default in FIPS Mode and cannot be enabled. |
| quick-start | When using the QuickStart wizard to create a server, only the FIPS security policy is available. When using the QuickStart wizard to configure an existing server, only FIPS-compliant servers can be configured and only the FIPS security policy is available. |
Configuration Mode | access-list | You can create access lists while in FIPS Mode. However, because remote, telnet, and GUI management methods are unavailable in FIPS Mode, the access lists assigned to those subsystems cannot be used. These access lists are available when the device is returned to normal operation. Access lists can be assigned to the SNMP subsystem while in FIPS Mode. |
| password | FIPS Mode passwords must be at least eight characters in length and are limited to a character set containing the alphabet, Arabic numerals, period (.), hyphen (-), underscore (_), and !@#$%^&*+=[]{};:<>?~ . |
Backend Server Configuration Mode | secpolicy | You can only assign the FIPS security policy or a user-defined security policy containing FIPS-approved algorithms.The completer for this command lists only security policies with FIPS-approved algorithms. |
Reverse-Proxy Server Configuration Mode | secpolicy | You can only assign the FIPS security policy or a user-defined security policy containing FIPS-approved algorithms. The completer for this command lists only security policies with FIPS-approved algorithms. |
Security Policy Configuration Mode | crypto | You can create only security policies containing FIPS-approved algorithms: DES-CBC-SHA and/or DES-CBC3-SHA. |
Server Configuration Mode | secpolicy | You can only assign the FIPS security policy or a user-defined security policy containing FIPS-approved algorithms. The completer for this command lists only security policies with FIPS-approved algorithms. |
Follow these steps to return the Secure Content Accelerator to normal operation.
1. Connect to the device using a serial management session and enter Privileged Mode.
[FIPS] SCA> enable
[FIPS] SCA#
2. Disable FIPS operation.
[FIPS] SCA# no fips enable
3. Press y when prompted to reboot the Secure Content Accelerator. After the device reboots, you are prompted for the access-level password. When the password is accepted, the "[FIPS]" portion of the prompt is removed, reflecting normal operation of the Secure Content Accelerator.
For more information about the NIST Cryptographic Module Validation Program, see http://csrc.nist.gov/cryptval/cmvp.htm .
Posted: Wed Aug 21 02:07:49 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.