Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide, Release 5.1.x
Configuring FIPS Mode
Downloads: This chapterpdf (PDF - 1.3MB) The complete bookPDF (PDF - 3.6MB) | Feedback

Configuring FIPS Mode

Configuring FIPS Mode

The Federal Information Processing Standard (FIPS) 140-2 is an U.S. and Canadian government certification standard that defines requirements that the cryptographic modules must follow. The FIPS specifies best practices for implementing cryptographic algorithms, handling key material and data buffers, and working with the operating system.

In Cisco IOS XR software, these applications are verified for FIPS compliance:

  • Secure Shell (SSH)
  • Secure Socket Layer (SSL)
  • Transport Layer Security (TLS)
  • Internet Protocol Security (IPSec) for Open Shortest Path First version 3 (OSPFv3)
  • Simple Network Management Protocol version 3 (SNMPv3)

For more information about the Configuring FIPS feature, see the Configuring FIPS Mode module in the Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide. For complete command reference of FIPS commands, see the FIPS Commands chapter in the Cisco ASR 9000 Series Aggregation Services Router System Security Command Reference

Prerequisites for Configuring FIPS

Install and activate the asr9k-k9sec-px.pie file.

You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command.

If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Installing and Activating the PIE

The Package Installation Envelope (PIE) files, are installable software files with the .pie extension. PIE files are used to copy one or more software components onto the router. A PIE may contain a single component, a group of components (called a package), or a set of packages (called a composite package).

Use the show install committed command in EXEC mode to verify the committed software packages.

You must install and activate the asr9k-k9sec-px.pie file to configure FIPS. To install and activate the PIE, download the asr9k-k9sec-px.pie to a TFTP server.

For more information about installing PIEs, refer to Upgrading and Managing Cisco IOS XR Software section of the Cisco ASR 9000 Series Aggregation Services Router System Management Configuration Guide.

SUMMARY STEPS

    1.    admin

    2.    install add tftp://<IP address of tftp server>/<location of pie on server>

    3.    install activate device:package

    4.    install commit

    5.    exit

    6.    show install committed


DETAILED STEPS
     Command or ActionPurpose
    Step 1 admin


    Example:
    RP/0/RSP0/CPU0:router# admin 
     

    Enters administration EXEC mode.

     
    Step 2 install add tftp://<IP address of tftp server>/<location of pie on server>


    Example:
    RP/0/RSP0/CPU0:router(admin)# install add tftp://172.201.11.140/auto/tftp-users1/pie/
     

    Copies the contents of a package installation envelope (PIE) file to a storage device.

     
    Step 3 install activate device:package


    Example:
    RP/0/RSP0/CPU0:router(admin)# install activate disk0:asr9k-k9sec-px.pie
     

    Activates the respective package and adds more functionality to the existing software.

     
    Step 4 install commit


    Example:
    RP/0/RSP0/CPU0:router(admin)# install commit
     

    Saves the active software set to be persistent across designated system controller (DSC) reloads.

     
    Step 5exit


    Example:
    RP/0/RSP0/CPU0:router(admin)# exit
     

    Exits from the admin mode.

     
    Step 6show install committed


    Example:
    RP/0/RSP0/CPU0:router# show install committed
     

    Shows the list of the committed software packages.

     

    How to Configure FIPS

    Perform these tasks to configure FIPS.

    Enabling FIPS mode

    Before You Begin

    Refer the Installing and Activating the PIE section for information on installing and activating the image on the router.

    SUMMARY STEPS

      1.    configure

      2.    crypto fips-mode

      3.    Use the commit or end command.

      4.    show logging

      5.    admin

      6.    reload location all


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 configure


      Example:
      RP/0/RSP0/CPU0:router# configure
       

      Enters global configuration mode.

       
      Step 2crypto fips-mode


      Example:
       RP/0/RSP0/CPU0:router(config)#crypto fips-mode 
       

      Enters FIPS configuration mode.

       
      Step 3 Use the commit or end command.  

      commit—Saves the configuration changes and remains within the configuration session.

      end—Prompts user to take one of these actions:
      • Yes— Saves configuration changes and exits the configuration session.
      • No—Exits the configuration session without committing the configuration changes.
      • Cancel—Remains in the configuration mode, without committing the configuration changes.
       
      Step 4show logging


      Example:
       RP/0/RSP0/CPU0:router#show logging
       

      Displays the contents of logging buffers.

      Note    Use the show logging | i fips command to filter FIPS specific logging messages.
       
      Step 5admin


      Example:
       RP/0/RSP0/CPU0:router#admin
       

      Enters into the admin EXEC mode.

       
      Step 6reload location all


      Example:
       RP/0/RSP0/CPU0:router(admin)#reload location all
       

      Reloads a node or all nodes on a single chassis or multishelf system.

       

      Configuring FIPS-compliant Keys

      Perform these steps to configure the FIPS-compliant keys:

      Before You Begin

      Refer the configuration steps in the Enabling FIPS mode section for enabling the FIPS mode.

      SUMMARY STEPS

        1.    crypto key generate rsa [usage-keys | general-keys] key label

        2.    crypto key generate dsa

        3.    show crypto key mypubkey rsa

        4.    show crypto key mypubkey dsa


      DETAILED STEPS
         Command or ActionPurpose
        Step 1crypto key generate rsa [usage-keys | general-keys] key label


        Example:
         RP/0/RSP0/CPU0:router#crypto key generate rsa general-keys rsakeypair 
         

        Generate a RSA key pair. Ensure that all the key pairs meet the FIPS requirements. The length of the key can vary from 1024 to 2048 bits.

        The option usage-keys generates separate RSA key pairs for signing and encryption. The option general-keys generates a general-purpose RSA key pair for signing and encryption.

        To delete the RSA key pair, use the crypto key zeroize rsa keypair-label command.

         
        Step 2crypto key generate dsa


        Example:
         RP/0/RSP0/CPU0:router#crypto key generate dsa
         

        Generate a DSA key pair if required. Ensure that all the key pairs meet the FIPS requirements. The length of the key is restricted to1024 bits.

        To delete the DSA key pair, use the crypto key zeroize dsa keypair-label command.

         
        Step 3show crypto key mypubkey rsa


        Example:
         RP/0/RSP0/CPU0:router#show crypto key mypubkey rsa
         

        Displays the existing RSA key pairs

         
        Step 4show crypto key mypubkey dsa


        Example:
         RP/0/RSP0/CPU0:router#show crypto key mypubkey dsa
         

        Displays the existing DSA key pairs

         

        Configuring FIPS-compliant Key Chain

        Perform these steps to configure the FIPS-compliant key chain:

        Before You Begin

        Refer the configuration steps in the Enabling FIPS mode section for enabling the FIPS mode.

        SUMMARY STEPS

          1.    configure

          2.    key chain key-chain-name

          3.    key key-id

          4.    cryptographic-algorithm {HMAC-SHA1-20 | SHA-1}

          5.    Use the commit or end command.


        DETAILED STEPS
           Command or ActionPurpose
          Step 1configure


          Example:
           RP/0/RSP0/CPU0:router#configure
           

          Enters the global configuration mode.

           
          Step 2key chain key-chain-name


          Example:
           RP/0/RSP0/CPU0:router(config)#key chain mykeychain
           

          Creates a key chain.

           
          Step 3key key-id


          Example:
           RP/0/RSP0/CPU0:router(config-mykeychain)#key 1
           

          Creates a key in the key chain.

           
          Step 4cryptographic-algorithm {HMAC-SHA1-20 | SHA-1}


          Example:
           RP/0/RSP0/CPU0:router(config-mykeychain-1)#cryptographic-algorithm HMAC-SHA1-20
           

          Configures the cryptographic algorithm for the key chain. Ensure that the key chain configuration always uses SHA-1 as the hash or keyed hash message authentication code (hmac) algorithm.

           
          Step 5 Use the commit or end command.  

          commit—Saves the configuration changes and remains within the configuration session.

          end—Prompts user to take one of these actions:
          • Yes— Saves configuration changes and exits the configuration session.
          • No—Exits the configuration session without committing the configuration changes.
          • Cancel—Remains in the configuration mode, without committing the configuration changes.
           

          Configuring FIPS-compliant Certificates

          Perform these steps to configure the FIPS-compliant certificates:

          Before You Begin

          Refer the configuration steps in the Enabling FIPS mode section for enabling the FIPS mode.

          SUMMARY STEPS

            1.    configure

            2.    crypto ca trustpoint ca-name key label

            3.    Use the commit or end command.

            4.    show crypto ca certificates


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 configure


            Example:
            RP/0/RSP0/CPU0:router# configure
             

            Enters global configuration mode.

             
            Step 2crypto ca trustpoint ca-name key label


            Example:
             RP/0/RSP0/CPU0:router(config)#crypto ca trustpoint msiox rsakeypair
             

            Configures the trustpoint by utilizing the desired RSA keys.

            Ensure that the certificates meet the FIPS requirements for key length and signature hash or encryption type.

            Note   

            The minimum key length for RSA or DSA key is 1024 bits. The required hash algorithm is SHA-1-20.

             
            Step 3 Use the commit or end command.  

            commit—Saves the configuration changes and remains within the configuration session.

            end—Prompts user to take one of these actions:
            • Yes— Saves configuration changes and exits the configuration session.
            • No—Exits the configuration session without committing the configuration changes.
            • Cancel—Remains in the configuration mode, without committing the configuration changes.
             
            Step 4show crypto ca certificates


            Example:
             RP/0/RSP0/CPU0:router#show crypto ca certificates
             

            Displays the information about the certificate

             

            Configuring FIPS-compliant OSPFv3

            Perform these steps to configure the FIPS-compliant OSPFv3:

            Before You Begin

            Refer the configuration steps in the Enabling FIPS mode section for enabling the FIPS mode.

            SUMMARY STEPS

              1.    configure

              2.    router ospfv3 process name

              3.    area id

              4.    authentication{disable | ipsec spi spi-value sha1 [clear | password] password}

              5.    exit

              6.    encryption{disable | {ipsec spi spi-value esp {3des | aes [192 | 256] [clear |password] encrypt-password} [authentication sha1[clear | password] auth-password]}}

              7.    Use the commit or end command.


            DETAILED STEPS
               Command or ActionPurpose
              Step 1 configure


              Example:
              RP/0/RSP0/CPU0:router# configure
               

              Enters global configuration mode.

               
              Step 2router ospfv3 process name


              Example:
               RP/0/RSP0/CPU0:router(config)#router ospfv3 ospfname
               

              Configures the OSPFv3 process.

               
              Step 3area id


              Example:
               RP/0/RSP0/CPU0:router(config-ospfv3)#area 1
               

              Configures the OSPFv3 area ID. The ID can either be a decimal value or an IP address.

               
              Step 4authentication{disable | ipsec spi spi-value sha1 [clear | password] password}


              Example:
               RP/0/RSP0/CPU0:router(config-ospfv3-ar)#authentication ipsec spi 256 sha1 password pa1
               

              Enables authentication for OSPFv3. Note that the OSPFv3 configuration supports only SHA-1 for authentication.

              Note   

              IPSec is supported only for Open Shortest Path First version 3 (OSPFv3).

               
              Step 5exit


              Example:
               RP/0/RSP0/CPU0:router(config-ospfv3-ar)#exit
               

              Exits OSPFv3 area configuration and enters the OSPFv3 configuration mode.

               
              Step 6encryption{disable | {ipsec spi spi-value esp {3des | aes [192 | 256] [clear |password] encrypt-password} [authentication sha1[clear | password] auth-password]}}


              Example:
               RP/0/RSP0/CPU0:router(config-ospfv3)#encryption ipsec spi 256 esp 3des password pwd
               
              Encrypts and authenticates the OSPFv3 packets. Ensure that the OSPFv3 configuration uses the following for encryption in the configuration.
              • 3DES: Specifies the triple DES algorithm.
              • AES: Specifies the Advanced Encryption Standard (AES) algorithm.

              Ensure that SHA1 is chosen if the authentication option is specified.

               
              Step 7 Use the commit or end command.  

              commit—Saves the configuration changes and remains within the configuration session.

              end—Prompts user to take one of these actions:
              • Yes— Saves configuration changes and exits the configuration session.
              • No—Exits the configuration session without committing the configuration changes.
              • Cancel—Remains in the configuration mode, without committing the configuration changes.
               

              Configuring FIPS-compliant SNMPv3 Server

              Perform these steps to configure the FIPS-compliant SNMPv3 server:

              Before You Begin

              Refer the configuration steps in the Enabling FIPS mode section for enabling the FIPS mode.

              SUMMARY STEPS

                1.    configure

                2.    snmp-server user username groupname {v3 [ auth sha {clear | encrypted} auth-password [priv {3des |aes { 128 | 192 | 256} } {clear | encrypted } priv-password]] } [SDROwner | SystemOwner] access-list-name

                3.    Use the commit or end command.


              DETAILED STEPS
                 Command or ActionPurpose
                Step 1 configure


                Example:
                 RP/0/RSP0/CPU0:router#configure
                 

                Enters the global configuration mode.

                 
                Step 2 snmp-server user username groupname {v3 [ auth sha {clear | encrypted} auth-password [priv {3des |aes { 128 | 192 | 256} } {clear | encrypted } priv-password]] } [SDROwner | SystemOwner] access-list-name


                Example:
                 RP/0/RSP0/CPU0:router(config)#snmp-server user user1 g v3 auth sha clear pass priv aes 128 clear privp
                 

                Configures the SNMPv3 server.

                 
                Step 3 Use the commit or end command.  

                commit—Saves the configuration changes and remains within the configuration session.

                end—Prompts user to take one of these actions:
                • Yes— Saves configuration changes and exits the configuration session.
                • No—Exits the configuration session without committing the configuration changes.
                • Cancel—Remains in the configuration mode, without committing the configuration changes.
                 

                Configuring FIPS-compliant SSH Client and Server

                Perform these steps to configure the FIPS-compliant SSH Client and the Server:

                Before You Begin

                Refer the configuration steps in the Enabling FIPS mode section for enabling the FIPS mode.

                SUMMARY STEPS

                  1.    ssh {ipv4-address | ipv6-address} cipher aes {128-CBC | 192-CBC | 256-CBC} username username

                  2.    configure

                  3.    ssh server v2

                  4.    Use the commit or end command.


                DETAILED STEPS
                   Command or ActionPurpose
                  Step 1 ssh {ipv4-address | ipv6-address} cipher aes {128-CBC | 192-CBC | 256-CBC} username username


                  Example:
                   RP/0/RSP0/CPU0:router#ssh 10.1.2.3 cipher aes 128-CBC username user1
                   

                  Configures the SSH client. Ensure that SSH client is configured only with the FIPS-approved ciphers. AES(Advanced Encryption Standard)-CBC (Cipher Block Chaining) is the FIPS-compliant cipher algorithm with key lengths of 128, 192 and 256 bits.

                   
                  Step 2 configure


                  Example:
                  RP/0/RSP0/CPU0:router# configure
                   

                  Enters global configuration mode.

                   
                  Step 3 ssh server v2


                  Example:
                   RP/0/RSP0/CPU0:router(config)#ssh server v2
                   

                  Configures the SSH server.

                   
                  Step 4 Use the commit or end command.  

                  commit—Saves the configuration changes and remains within the configuration session.

                  end—Prompts user to take one of these actions:
                  • Yes— Saves configuration changes and exits the configuration session.
                  • No—Exits the configuration session without committing the configuration changes.
                  • Cancel—Remains in the configuration mode, without committing the configuration changes.
                   

                  Configuration Examples for Configuring FIPS

                  This section provides examples for configuring FIPS.

                  Configuring FIPS: Example

                  This example shows how to configure FIPS:

                  RP/0/3/CPU0:SSH#configure
                  RP/0/3/CPU0:SSH(config)#crypto fips-mode
                  RP/0/3/CPU0:SSH(config)#commit
                  RP/0/3/CPU0:SSH(config)#end
                  
                  

                  This example shows the output of show logging command:

                  RP/0/3/CPU0:SSH(config)#crypto fips-mode
                  RP/0/3/CPU0:SSH(config)#commit
                  RP/0/3/CPU0:SSH(config)#end
                  RP/0/3/CPU0:SSH#show logging
                  
                  Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
                      Console logging: level debugging, 60 messages logged
                      Monitor logging: level debugging, 0 messages logged
                      Trap logging: level informational, 0 messages logged
                      Buffer logging: level debugging, 3 messages logged
                   
                  Log Buffer (9000000 bytes):
                  <output omitted>
                   
                  Log Buffer (307200 bytes):
                  
                  RP/0/RSP0/CPU0:Apr 16 12:48:17.736 : cepki[433]: The configuration setting for FIPS mode has been modified. The system must be reloaded to finalize this configuration change. Please refer to the IOS XR System Security Configuration Guide, Federal Information Process Standard(FIPS) Overview section when modifying the FIPS mode setting. 
                  RP/0/RSP0/CPU0:Apr 16 12:48:17.951 : config[65757]: %MGBL-CONFIG-6-DB_COMMIT :
                  Configuration committed by user 'lab'. Use 'show configuration commit changes 1000000002' to view the changes. 
                  RP/0/RSP0/CPU0:Apr 16 12:48:23.988 : config[65757]: %MGBL-SYS-5-CONFIG_I : Configured from console by lab 
                  
                  
                  ....
                  ....
                  ....