FIPS 140-2 Setup
Caution |
FIPS mode is only supported on releases that have been through FIPS compliance. Be warned that FIPS mode should be disabled before you upgrade to a non-FIPS compliance version of Unified Communications Manager. For information about which releases are FIPS compliant and to view their certifications, see the FIPS 140 document at https://www.cisco.com/c/en/us/solutions/industries/government/global-government-certifications/fips-140.html. |
FIPS, or Federal Information Processing Standard, is a U.S. and Canadian government certification standard. It defines requirements that cryptographic modules must follow.
Certain versions of Unified Communications Manager are FIPS 140-2 compliant, in accordance with the U.S. National Institute of Standards (NIST). They can operate in FIPS mode, level 1 compliance.
Unified Communications Manager
-
Reboots
-
Runs certification self-tests at startup
-
Performs the cryptographic modules integrity check
-
Regenerates the keying materials
when you enable FIPS 140-2 mode. At this point, Unified Communications Manager operates in FIPS 140-2 mode.
FIPS requirements include the following:
-
Performance of startup self-tests
-
Restriction to a list of approved cryptographic functions
FIPS mode uses the following FIPS 140-2 level 1 validated cryptographic modules:
-
CiscoSSL 1.0.2n.6.2.194 with FIPS Module CiscoSSL FOM 6_2_0
-
CiscoJ 5.2.1
-
RSA CryptoJ 6_2_3
-
OpenSSH 7.5.9
-
Libreswan
-
NSS
You can perform the following FIPS-related tasks:
-
Enable FIPS 140-2 mode
-
Disable FIPS 140-2 mode
-
Check the status of FIPS 140-2 mode
Note |
|
If you generate a Self-Signed Certificate or Certificate Signing Request (CSR) on FIPS mode, certificates must be encrypted using the SHA256 hashing algorithm and can't select SHA1.
Enable FIPS 140-2 Mode
Consider the following before you enable FIPS 140-2 mode on Unified Communications Manager:
-
When you switch from non-FIPS to FIPS mode, the MD5 and DES protocols aren't functional.
-
In single server clusters, because certificates are regenerated, you need to run the CTL Client or apply the Prepare Cluster for Rollback to pre-8.0 enterprise parameter before you enable FIPS mode. If you do not perform either of these steps, you must manually delete the ITL file after you enable FIPS mode.
-
In a cluster, all nodes should be either in FIPS or Non FIPS mode. Each node being in different modes is not allowed. For example, Node A in FIPS mode and Node B in Non-FIPS mode is not allowed.
-
After you enable FIPS mode on a server, please wait until the server reboots and the phones re-register successfully before enabling FIPS on the next server.
Caution |
Before you enable FIPS mode, we strongly recommend that you perform a system backup. If FIPS checks fail at start-up, the system halts and requires a recovery CD to be restored. Make sure that all cluster nodes are set to FIPS mode or Non-FIPS mode during deployment. You cannot deploy mixed nodes in a cluster. A cluster must be either a FIP or a non-FIPS node. |
Procedure
Step 1 |
Start a CLI session. For more information, see "Start CLI Session" in the Command Line Interface Reference Guide for Cisco Unifed Communications Solutions. |
||||
Step 2 |
In the CLI, enter utils fips enable The cluster security password must be at least 14 characters long before security modes such as FIPS, Common Criteria and Enhanced Security modes can be enabled. Update the cluster security password using the 'set password user security' CLI command on all nodes and retry this command. ********************************************************************************** Executed command unsuccessfully If you enter a password more than 14 characters, the following prompts appear: Security Warning: The operation will regenerate certificates for
1)CallManager
2)Tomcat
3)IPsec
4)TVS
5)CAPF
6)SSH
7)ITLRecovery
Any third party CA signed certificates that have been uploaded for the above
components will need to be re-uploaded. If the system is operating in mixed
mode, then the CTL client needs to be run again to update the CTL file.
If there are other servers in the cluster, please wait and do not change
the FIPS Settings on any other node until the FIPS operation on this node
is complete and the system is back up and running.
If the enterprise parameter 'TFTP File Signature Algorithm' is configured
with the value 'SHA-1' which is not FIPS compliant in the current version of the
Unified Communications Manager, though the signing operation
will continue to succeed, it is recommended the parameter value be changed to
SHA-512 in order to be fully FIPS. Configuring SHA-512 as the signing algorithm
may reqiure all the phones that are provisioned in the cluster to be capable of
verifying SHA-512 signed configuration file, otherwise the phone registration
may fail. Please refer to the Cisco Unified Communications Manager Security Guide
for more details.
******************************************************************************
This will change the system to FIPS mode and will reboot.
******************************************************************************
WARNING: Once you continue do not press Ctrl+C. Canceling this operation after it
starts will leave the system in an inconsistent state; rebooting the system and
running "utils fips status" will be required to recover.
******************************************************************************
Do you want to continue (yes/no)?
|
||||
Step 3 |
Enter Yes. The following message appears: Generating certificates...Setting FIPS mode in operating system. FIPS mode enabled successfully. ******************************************************** It is highly recommended that after your system restarts that a system backup is performed. ******************************************************** The system will reboot in a few minutes. Unified Communications Manager reboots automatically.
|
CiscoSSH Support
Unified Communications Manager supports CiscoSSH. When you enable FIPS mode on your system, CiscoSSH is enabled automatically with no extra configuration required.
CiscoSSH Support
CiscoSSH supports the following key exchange algorithms:
-
Diffie-Hellman-Group14-SHA1
-
Diffie-Hellman-Group-Exchange-SHA256
-
Diffie-Hellman-Group-Exchange-SHA1
CiscoSSH supports the following ciphers with the Unified Communications Manager server:
-
AES-128-CTR
-
AES-192-CTR
-
AES-256-CTR
-
AES-128-GCM@openssh.com
-
AES-256-GCM@openssh.com
-
AES-128-CBC (supported for Release 12.0(1) and up)
-
AES-192-CBC (supported for Release 12.0(1) and up)
-
AES-256-CBC (supported for Release 12.0(1) and up)
CiscoSSH supports the following ciphers for clients:
-
AES-128-CTR
-
AES-192-CTR
-
AES-256-CTR
-
AES-128-GCM@openssh.com
-
AES-256-GCM@openssh.com
-
AES-128-CBC
-
AES-192-CBC
-
AES-256-CBC
Disable FIPS 140-2 Mode
Consider the following information before you disable FIPS 140-2 mode on Unified Communications Manager:
-
In single or multiple server clusters, we recommend you to run the CTL Client. If the CTL Client is not run on a single server cluster, you must manually delete the ITL File after disabling FIPS mode.
-
In multiple server clusters, each server must be disabled separately, because FIPS mode is not disabled cluster-wide but rather on a per-server basis.
To disable FIPS 140-2 mode, perform the following procedure:
Procedure
Step 1 |
Start a CLI Session. For more information, see the Starting a CLI Session section in the Command Line Interface Reference Guide for Cisco Unified Communications Solutions. |
||
Step 2 |
In the CLI, enter utils fips disable Unified Communications Manager reboots and is restored to non-FIPS mode.
|
Check FIPS 140-2 Mode Status
To confirm if the FIPS 140-2 mode is enabled, check the mode status from the CLI.
To check the status of FIPS 140-2 mode, perform the following procedure:
Procedure
Step 1 |
Start a CLI Session. For more information, see the Starting a CLI Session section in the Command Line Interface Reference Guide for Cisco Unified Communications Solutions. |
Step 2 |
In the CLI, enter utils fips status |
FIPS 140-2 Mode Server Reboot
FIPS startup self-tests in each of the FIPS 140-2 modules are triggered after rebooting when Unified Communications Manager server reboots in FIPS 140-2 mode.
Caution |
If any of these self-tests fail, the Unified Communications Manager server halts. |
Note |
Unified Communications Manager server is automatically rebooted when FIPS is enabled or disabled with the corresponding CLI command. You can also initiate a reboot. |
Caution |
If the startup self-test failed because of a transient error, restarting the Unified Communications Manager server fixes the issue. However, if the startup self-test error persists, it indicates a critical problem in the FIPS module and the only option is to use a recovery CD. |
FIPS Mode Restrictions
Feature |
Restrictions |
||
---|---|---|---|
SNMP v3 |
FIPS mode does not support SNMP v3 with MD5 or DES. If you have SNMP v3 configured while FIPS mode is enabled, you must configure SHA as the Authentication Protocol and AES128 as the Privacy Protocol. |
||
Certificate Remote Enrolment |
FIPS mode does not support Certificate Remote Enrolment. |
||
SFTP Server |
By Default, the JSCH library was using ssh-rsa for SFTP connection but the FIPS mode doesn’t support ssh-rsa. Due to a recent update of CentOS, the JSCH library supports both ssh-rsa (SHA1withRSA) or rsa-sha2-256 (SHA256withRSA) depending on the FIPS value after modifications. That is,
The rsa-sha2-256 (SHA256WithRSA) support is available only from OpenSSH 6.8 version onwards. In FIPS mode, only the SFTP servers running with OpenSSH 6.8 version onwards supports the rsa-sha2-256 (SHA256WithRSA) |
||
IPSec Policy |
In Common Criteria (CC) mode, Certificate Exchange operation is recommended first between clusters/nodes before configuring IPSec policies for Certificate based IPSec Policy. Certificate based IPSec Policy will not work when moving from Non-FIPS to FIPS / Common Criteria mode or vice-versa. Perform the following when you should move from Non-FIPS mode to FIPS / CC Mode or vice-versa. If you have a certificate based IPSec policy and its in enabled state then:
|