Prerequisites for Configuring FIPS
Install and activate the asr9k-k9sec-px.pie file.
Note |
From Cisco IOS XR Software Release 7.0.1 and later, you need not install the asr9k-k9sec-px.pie, because the functionality is available in the base image itself. |
You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command.
If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Guidelines for Enabling FIPS Mode
From Cisco IOS XR Software Release 6.7.2 and later, you must follow these guidelines while enabling FIPS mode:
-
You must configure the session with a FIPS-approved cryptographic algorithm. A session configured with non-approved cryptographic algorithm for FIPS (such as, MD5 and HMAC-MD5 ) does not work. This is applicable for OSPF, BGP, RSVP, ISIS, or any application using key chain with non-approved cryptographic algorithm, and only for FIPS mode (that is, when crypto fips-mode is configured).
-
If you are using any HMAC-SHA algorithm for a session, then you must ensure that the configured key-string has a minimum length of 14 characters. Otherwise, the session goes down. This is applicable only for FIPS mode.
-
If you try to execute the telnet configuration on a system where the FIPS mode is already enabled, then the system rejects the telnet configuration.
-
If telnet configuration already exists on the system, and if FIPS mode is enabled later, then the system rejects the telnet connection. But, it does not affect the telnet configuration as such.
-
It is recommended to configure the crypto fips-mode command first, followed by the commands related to FIPS in a separate commit. The list of commands related to FIPS with non-approved cryptographic algorithms are:
-
key chain key-chain-name key key-id cryptographic-algorithm MD5
-
key chain key-chain-name key key-id cryptographic-algorithm HMAC-MD5
-
router ospfv3 1 authentication ipsec spi 256 md5 md5-value
-
router ospfv3 1 encryption ipsec spi 256 esp des des-value
-
router ospfv3 1 encryption ipsec spi 256 esp des des-value authentication md5 md5-value
-
snmp-server user username usergroup-name v3 auth md5 priv des56
-
ssh server algorithms key-exchange diffie-hellman-group1-sha1
-
telnet vrf default ipv4 server max-servers server-limit
-