This command enables, disables, or displays the status of FIPS 140-2 mode. FIPS 140-2 mode is disabled by default; only an
administrator can enable FIPS.
utils fips {enable | disable | status}
Syntax Description
Parameters |
Description |
enable |
Activates FIPS 140-2 mode.
|
disable |
Deactivates FIPS 140-2 mode.
|
status |
Displays the status of FIPS 140-2 mode.
|
Command Modes
Administrator (admin:)
Usage Guidelines
Before enabling FIPS mode, we recommend that you perform a system backup. If FIPS checks fail at start-up, the system halts
and requires a recovery CD to be restored.
Consider the following information before you enable FIPS 140-2 mode:
-
When you switch from non-FIPS to FIPS mode, the MD5 and DES protocols will not be functional.
-
After FIPS mode is enabled on a server, please wait until the server reboots and the phones re-register successfully before
enabling FIPS on the next server.
-
In FIPS mode, the IM and Presence service uses Red Hat Openswan (FIPS validated) in place of Racoon (non-FIPS validated). If the security policies in Racoon
contain functions that are not FIPS approved, the CLI command asks you to redefine the security policies with FIPS approved
functions and abort.
Note |
Certificates and SSH key are regenerated automatically, in accordance with FIPS requirements.
|
Consider the following information before you disable FIPS 140-2 mode: In multiple server clusters, each server must be disabled
separately; FIPS mode is not disabled cluster-wide but on a per server basis.
Consider the following information after you enable FIPS 140-2 mode: If you have a single server cluster and chose to apply
"Prepare Cluster for Rolback to pre 8.0" enterprise parameter before enabling FIPS mode, disable this parameter after making
sure that all the phones registered successfully with the server.
Consider the following information before you enable or disable FIPS 140-2 mode for IM and Presence Service: After you enable or disable FIPS 140-2 mode for IM and Presence Service, the Tomcat certificate is regenerated and the node reboots. The Intercluster Sync Agent syncs the new Tomcat certificate
across the cluster; this can take up to 30 minutes. Until the new Tomcat certificate is synced across the cluster, an IM and Presence Servicee subscriber node cannot access information from the IM and Presence Service database publisher node. For example, a user who is logged into the Cisco Unified Serviceability GUI on a subscriber node
will not be able to view services on theIM and Presence Service database publisher node. Users will see the following error message until the sync is complete: Connection to server cannot be established (certificate exception)
Requirements
Command privilege level: 0
Allowed during upgrade: No
Applies to: Unified Communications Manager, IM and Presence Service on Unified Communications Manager, and Cisco Unity Connection