FIPS Support in Cisco Spaces

FIPS Overview

Cisco Spaces Connector supports the Federal Information Processing Standard 140-3 (FIPS). FIPS is a standard published by the National Institute of Standards and Technology (NIST) and is used to accredit cryptographic modules in software components. The US Federal government requires that all IT products dealing with Sensitive, but Unclassified (SBU) information meet these standards. If your system needs to be FIPS compliant, you can enable FIPS. Once you do so, the system uses the cryptographic algorithms defined by the NIST for FIPS for all encrypted communication between its internal and external components.

Protocol Requirements

  • Transport Layer Security (TLS) 1.2or higher.

  • Advanced Encryption Standard (AES) 256.

  • Secure Hash Algorithm (SHA) 128 or higher.

  • One of the following:

    • Rivest, Shamir, and Adelman (RSA) 2048 or higher.

  • Elliptic Curve Digital Signature Algorithm (ECDSA) with a National Institute of Standards and Technology (NIST) curve of P-256 or higher.

Enabling FIPS

To enable FIPS on the Connector, you must do the following:

  1. Log in to the Connector CLI, and enable FIPS on the connector.

  2. From the Connector CLI, validate if the FIPS is enabled.

Procedure

Step 1

Log in to the Connector CLI, and enable FIPS on the connector using the connectorctl fips enable command.

The following is a sample output of the command: 
[spacesadmin@connector ~]$ connectorctl fips enable
Executing command:fips
Terminated
[spacesadmin@connector ~]$ Connection to 10.22.244.2 closed by remote host
For more information on this command, see the connectorctl fips enable command page.

Note

 

Enabling FIPS restarts the connector VM.

Step 2

Validate if the FIPS is enabled using the connectorctl fips show command.

The following is a sample output of the command: 

[spacesadmin@connector ~]$ connectorctl fips show
Executing command:fips
Command execution status:Success
----------------------
FIPS mode status:
FIPS mode is enabled.
verify FIPS mode is enabled at the operating system level:
crypto.fips_enabled = 1
OpenSSL version:
FIPS Toolkit Enabled
CiscoSSL 1.1.1y.7.3.377-fips
ssh runs in FIPS mode
x509v3-ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp384
x509v3-ecdsa-sha2-nistp521
x509v3-ssh-rsa
x509v3-rsa2048-sha256
ecdsa-sha2-nistp256
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521
ecdsa-sha2-nistp521-cert-v01@openssh.com
ssh-rsa
ssh-rsa-cert-v01@openssh.com

[spacesadmin@connector ~]$
For more information on this command, see the connectorctl fips show command page.

Disabling FIPS


Note

There is no option to disable FIPS. The only way is to roll back to the initial setup by resetting the connector using the connectorctl reset command.

To roll back to the initial setup, you must do the following:

  1. Log in to the Connector CLI, and reset the connector.

  2. From the Connector CLI, validate whether the roll back is successful.

Procedure

Step 1

Log in to the Connector CLI, and reset the connector using the connectorctl reset command.

The following is a sample output of the command: 
[spacesadmin@connector ~]$ connectorctl reset
Executing command:reset
WARNING: This command resets all connector configuration including http proxy and token and bring system to initial state. You can't undo these changes.
Type yes to continue or any other letter to abort:yes
Terminated
[spacesadmin@connector ~]$ Connection to 10.22.244.45 closed by remote host.
Connection to 10.22.244.45 closed.
For more information on this command, see the connectorctl reset command page.

Note

 

Rolling back to the initial setup restarts the connector VM.

Step 2

Validate whether the roll back is successful using the connectorctl fips show command.

The following is a sample output of the command: 

[spacesadmin@connector ~]$ connectorctl fips show
Executing command:fips
Command execution status:Success
----------------------
FIPS mode status:
FIPS mode is disabled.
verify FIPS mode is enabled at the operating system level:
crypto.fips_enabled = 0
OpenSSL version:
FIPS Toolkit Enabled
CiscoSSL 1.1.1y.7.3.377-fips
ssh runs in FIPS mode
x509v3-ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp384
x509v3-ecdsa-sha2-nistp521
x509v3-ssh-rsa
x509v3-rsa2048-sha256
ecdsa-sha2-nistp256
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521
ecdsa-sha2-nistp521-cert-v01@openssh.com
ssh-rsa
ssh-rsa-cert-v01@openssh.com
For more information on this command, see the connectorctl fips show command page.

Adding a FIPS-Enabled Catalyst 9800 Controller to a FIPS-Enabled Connector

Enabling FIPS

To enable FIPS on the Connector, you must do the following:

  1. Log in to the Connector CLI, and enable FIPS on the connector.

  2. From the Connector CLI, validate if the FIPS is enabled.

Procedure

Step 1

Log in to the Connector CLI, and enable FIPS on the connector using the connectorctl fips enable command.

The following is a sample output of the command: 
[spacesadmin@connector ~]$ connectorctl fips enable
Executing command:fips
Terminated
[spacesadmin@connector ~]$ Connection to 10.22.244.2 closed by remote host
For more information on this command, see the connectorctl fips enable command page.

Note

 

Enabling FIPS restarts the connector VM.

Step 2

Validate if the FIPS is enabled using the connectorctl fips show command.

The following is a sample output of the command: 

[spacesadmin@connector ~]$ connectorctl fips show
Executing command:fips
Command execution status:Success
----------------------
FIPS mode status:
FIPS mode is enabled.
verify FIPS mode is enabled at the operating system level:
crypto.fips_enabled = 1
OpenSSL version:
FIPS Toolkit Enabled
CiscoSSL 1.1.1y.7.3.377-fips
ssh runs in FIPS mode
x509v3-ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp384
x509v3-ecdsa-sha2-nistp521
x509v3-ssh-rsa
x509v3-rsa2048-sha256
ecdsa-sha2-nistp256
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521
ecdsa-sha2-nistp521-cert-v01@openssh.com
ssh-rsa
ssh-rsa-cert-v01@openssh.com

[spacesadmin@connector ~]$
For more information on this command, see the connectorctl fips show command page.

Configuring FIPS Authorization Key in the Controller

Procedure

Step 1

Log in to the Catalyst 9800 controller CLI, and enter the global configuration mode using the configure terminal command.

The following is a sample output of the command: 
Device# configure terminal

Step 2

Configuring FIPS authorization key on the controller using the fips authorization-key hex command.

The following is a sample output of the command: 

Device(config)# fips authorization-key <hex>

Step 3

Return to the privileged EXEC mode using the end command.

The following is a sample output of the command: 
Device(config)# end

Step 4

Save all configurations using the write memory command.

The following is a sample output of the command: 
Device# write memory

Step 5

Boot the controller in FIPS mode using the reload command.

The following is a sample output of the command: 
Device# reload

Obtaining a Certificate from the Connector

Procedure

Step 1

Log in to the Connector CLI, and obtain a certificate using the connectorctl -s location keystore showcert -n fipsca command.

The following is a sample output of the command: 

[spacesadmin@connector ~]$ connectorctl -s location keystore showcert -n fipsca
Executing command:keystore
Command execution status:Success
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Step 2

Copy the certificate and paste it into a text editor to add it to the controller trustpool. For information, see the Importing a CA Certificate to the Trustpool section.

Importing a CA Certificate into the Trustpool

Procedure

Step 1

Log in to the Catalyst 9800 controller CLI, and enter the global configuration mode using the configure terminal command.

The following is a sample output of the command: 
Device# configure terminal

Step 2

Import a CA certificate into the Trustpool using the crypto pki trustpool import terminal command.

Paste the certificate and press Enter. For more information, see Obtaining a Certificate from the Connector.

The following is a sample output of the command: 

Device(config)# crypto pki trustpool import terminal
% Enter PEM-formatted CA certificate.
% End with a blank line or "quit" on a line by itself.
line by itself.
-----BEGIN CERTIFICATE-----
....
....
-----END CERTIFICATE-----
quit
% PEM files import succeeded.

Step 3

Return to the privileged EXEC mode using the end command.

The following is a sample output of the command: 
Device(config)# end

Step 4

Save all configurations using the write memory command.

The following is a sample output of the command: 
Device# write memory

Reinitiating the NMSP Connection on the Controller

Perform one of the following actions to reinitiate the NMSP connection to the controller after importing the connector certificate into the controller:

Procedure

Step 1

Restart the location service from the Connector CLI or Cisco Spaces dashboard.

Step 2

Edit and save the controller credentials in the Cisco Spaces dashboard.

Note

 

  • This will retrigger the SYNC message from the cloud to connector for all the controllers that are added.

  • The connector attempts to reestablish the connection between the connector and the controller.

  • If the NMSP handshake fails after importing the fipsca certificate into the controller, re-import the certificate. To clean any trustpool certificates imported earlier, use the crypto pki trustpool import clean command.