-
CSS 11000 SCA/SCA2 Version 4.0
-
Release Note for the Cisco 11000 Series Secure Content Accelerator: SCA2
-
Cisco CSS 11000 Secure Content Accelerator Configuration Guide Index (Software Version 4.0.0)
-
About This Guide
-
Using the QuickStart Wizard
-
Using the Configuration Manager
-
Graphical User Interface Reference
-
FIPS Operation
-
Specifications
-
Deployment Examples
-
Troubleshooting
-
SSL Introduction
-
Regulatory Information
-
Glossary
-
Table of Contents
FIPS OperationFIPS Operation
This chapter describes how to use the Secure Content Accelerator in FIPS Mode for FIPS 140-2-compliant operation. This chapter contains the following sections:
FIPS Capabilities
The Secure Content Accelerator configuration manager is used in FIPS-Compliant Mode ("FIPS Mode") to create and configure FIPS-compliant servers. When operating in FIPS Mode, the Secure Content Accelerator supports FIPS-compliant security. Among the FIPS-compliant features of the Secure Content Accelerator are the following:
- Only FIPS-approved algorithms are supported (DES and 3DES with SHA).
- A server using any other algorithms is disabled in FIPS Mode and cannot be used or configured.
- Only FIPS-compliant servers can be used when the device is operated in FIPS Mode. Non-FIPS 104-2-compliant servers can be configured for compliance.
- Management is available only via a serial connection.
- Passwords at least eight characters in length are required at both access and configuration levels.
- Commands that do not support FIPS-compliant security measures are disabled in FIPS Mode.
- The command prompt contains the text "[FIPS]" to indicate the device is operating in FIPS Mode.
 |
Caution To ensure the security of SSL sessions, you must use your own keys and certificates. The default keys and certificates preloaded on the device are intended for testing purposes only. |
Using FIPS Mode
FIPS Mode acts as a filtering system, allowing only FIPS Level 2-compliant SSL objects to be used for data transfer. Entering FIPS Mode is a two-step process: starting the FIPS Mode process and rebooting the device in FIPS Mode.
1. Connect to the device using a serial management session and enter Privileged Mode.
SCA> enable SCA#
2. Enable FIPS operation.
SCA# fips enable
3. A caution is displayed. Read the text carefully before replying to it.
Enabling FIPS mode will cause a restart of the device.
Entering FIPS mode will also change the behavior of the device.
Only FIPS-approved algorithms are supported.
Only FIPS-compliant servers can be used.
Management is available only via the serial console.
Passwords must be at least eight characters long.
Firmware signature verification is enabled.
Some commands are not supported.
Are you sure you want to do this? (y/n) [n]
4. The Secure Content Accelerator checks access- and enable-level passwords previously set, if any. The display reflects the state of current passwords:
 |
Note FIPS Mode passwords must be at least eight characters in length and are limited to a character set containing the alphabet, Arabic numerals, period (.), hyphen (-), underscore (_), and !@#$%^&*+=[]{};:<>?~ . |
a. If no passwords had been set previously, this text is displayed:
You need to provide an access-level password of at least 8 characters.
Enter new password:
Confirm password: You need to provide an enable-level password of at least 8 characters.
Enter new password:
Confirm new password:
|
Note Passwords are not echoed to the screen. These passwords are not FIPS-specific and are prompted for when the device is used in normal operation. |
b. If the previously set access-level password is not appropriate for FIPS Mode operation, the following text is displayed:
Your current access-level password is not valid for FIPS mode.
You need to provide an access-level password of at least 8 characters.
Enter new password:
Confirm password:
c. If the previously set enable-level password is not appropriate for FIPS Mode operation, the following text is displayed:
Your current enable-level password is not valid for FIPS mode.
You need to provide an access-level password of at least 8 characters.
Enter new password:
Confirm password:
d. If both the previously set access- and enable-level passwords are valid for FIPS Mode operation, no additional text is displayed.
5. The device reboots and enters FIPS Mode. Enter the access-level password to control the device.
Enter the access-level password:
6. Use the enable-level password to enter Privileged Mode.
Enter the enable-level password:
Creating a Server in FIPS Mode
Creating and configuring server operations in FIPS Mode are nearly identical to those in normal operational modes. The differences are the following:
- Only the FIPS security policy and security policies containing FIPS-approved algorithms can be used
- Only FIPS-compliant servers can be used for data transfer (non-FIPS-compliant servers can be edited for FIPS compliance)
Follow the steps below to create a FIPS-compliant server.
1. Connect to the Secure Content Accelerator using a serial management session, and enter Privileged, Configuration, and SSL Modes. Create a secure server named mySecServ.
[FIPS] SCA> enable [FIPS] SCA# config [FIPS] config[SCA]# ssl [FIPS] ssl-config[SCA]# server mySecServ create [FIPS] ssl-server[mySecServ]#>
2. Assign an IP address, key, certificate, and FIPS-compliant security policy.
[FIPS] ssl-server[mySecServ]#> ip address 10.1.114.30 [FIPS] ssl-server[mySecServ]#> key myOwnKey [FIPS] ssl-server[mySecServ]#> cert myOwnCert [FIPS] ssl-server[mySecServ]#> secpolicy fips [FIPS] ssl-server[mySecServ]#>
3. Exit to Top Level Mode.
[FIPS] ssl-server[mySecServ]#> finished [FIPS] SCA#
You can create a security policy containing only the FIPS-approved algorithm you want to use. The following example demonstrates creating a security policy containing on the 3DES/SHA algorithm and editing a secure server to use the new user-defined security policy rather than the FIPS security policy.
1. Connect to the Secure Content Accelerator using a serial management session, and enter Privileged, Configuration, and SSL Modes. Create a security policy named myFIPS.
[FIPS] SCA> enable [FIPS] SCA# config [FIPS] config[SCA]# ssl [FIPS] ssl-config[SCA]# secpolicy myFIPS create [FIPS] ssl-secpolicy[myFIPS]#>
2. Specify the 3DES/SHA cryptographic algorithm, and return to SSL Configuration Mode.
[FIPS] ssl-secpolicy[myFIPS]#> crypto DES-CBC3-SHA [FIPS] ssl-secpolicy[myFIPS]#> exit [FIPS] ssl-config[SCA]#>
3. Enter Server Configuration Mode to edit the configuration of the server mySecServ to use the myFIPS security policy rather than the previously specified FIPS security policy.
[FIPS] ssl-config[SCA]#> server mySecServ [FIPS] ssl-server[mySecServ]#> secpolicy myFIPS [FIPS] ssl-server[mySecServ]#>
4. Exit to Top Level Mode.
[FIPS] ssl-server[mySecServ]# finished [FIPS] SCA#
Command Changes
When the device is operated in FIPS Mode, some commands are unavailable or behave differently than in normal operating modes.
Unavailable Commands
Commands are unavailable in FIPS Mode are shown in Table 6-1, below.
Table 6-1: Commands Unavailable in FIPS Mode
| Operational Mode | Command |
|---|---|
|
Top Level Mode |
attach, attach ip, discover, group, show device list, show group, show profile, show remote-management, show telnet, show web-mgmt, write file |
|
Group Configuration Mode |
Group Configuration Mode is unavailable. |
|
Configuration Mode |
remote-management access-list, remote-management enable, remote-management encryption, remote-management port, remote-management shared-secret, telnet access-list, telnet enable, telnet port, web-mgmt access-list, web-mgmt enable, web-mgmt port |
Differing Command Behaviors
Some commands behave differently while the Secure Content Accelerator is in FIPS Mode. These commands and notes about their usage are presented in Table 6-2, below.
Table 6-2: FIPS Mode Command Changes
| Mode | Command | Notes |
|---|---|---|
|
Top Level Mode |
show device |
Settings are not displayed for telnet, remote access, and Web management. The device type area indicates the Secure Content Accelerator is in FIPS Mode. When the Secure Content Accelerator is removed from FIPS Mode, all settings existing before entering FIPS Mode are retained with the exception of changes made while in FIPS Mode. |
|
show ssl |
SSL information includes objects that are not FIPS-compliant, such as security policies other than FIPS or those containing non-FIPS-compliant algorithms. |
|
|
show ssl secpolicy |
Information can be shown for individual, non-FIPS-compliant security policies. |
|
|
show ssl server |
Information can be shown for all servers. All non-FIPS-compliant servers are disabled by default in FIPS Mode and cannot be enabled. |
|
|
quick-start |
When using the QuickStart wizard to create a server, only the FIPS security policy is available. When using the QuickStart wizard to configure an existing server, only FIPS-compliant servers can be configured and only the FIPS security policy is available. |
|
|
Configuration Mode |
access-list |
You can create access lists while in FIPS Mode. However, because remote, telnet, and GUI management methods are unavailable in FIPS Mode, the access lists assigned to those subsystems cannot be used. These access lists are available when the device is returned to normal operation. Access lists can be assigned to the SNMP subsystem while in FIPS Mode. |
|
password |
FIPS Mode passwords must be at least eight characters in length and are limited to a character set containing the alphabet, Arabic numerals, period (.), hyphen (-), underscore (_), and !@#$%^&*+=[]{};:<>?~ . |
|
|
Backend Server Configuration Mode |
secpolicy |
You can only assign the FIPS security policy or a user-defined security policy containing FIPS-approved algorithms.The completer for this command lists only security policies with FIPS-approved algorithms. |
|
Reverse-Proxy Server Configuration Mode |
secpolicy |
You can only assign the FIPS security policy or a user-defined security policy containing FIPS-approved algorithms. The completer for this command lists only security policies with FIPS-approved algorithms. |
|
Security Policy Configuration Mode |
crypto |
You can create only security policies containing FIPS-approved algorithms: DES-CBC-SHA and/or DES-CBC3-SHA. |
|
Server Configuration Mode |
secpolicy |
You can only assign the FIPS security policy or a user-defined security policy containing FIPS-approved algorithms. The completer for this command lists only security policies with FIPS-approved algorithms. |
Returning to Normal Operation
Follow these steps to return the Secure Content Accelerator to normal operation.
1. Connect to the device using a serial management session and enter Privileged Mode.
[FIPS] SCA> enable [FIPS] SCA#
2. Disable FIPS operation.
[FIPS] SCA# no fips enable
3. Press y when prompted to reboot the Secure Content Accelerator. After the device reboots, you are prompted for the access-level password. When the password is accepted, the "[FIPS]" portion of the prompt is removed, reflecting normal operation of the Secure Content Accelerator.
More Information
For more information about the NIST Cryptographic Module Validation Program, see http://csrc.nist.gov/cryptval/cmvp.htm .