Black Box ET0010A User Manual
Features Configuration
EncrypTight User Guide
331
FIPS Mode
When operating in FIPS mode, the ETEP must be configured to use FIPS-approved encryption and
authentication algorithms. FIPS approved algorithms are listed in
authentication algorithms. FIPS approved algorithms are listed in
. Note that some of the FIPS-
approved algorithms are available for use only on the management port.
EncrypTight prevents the ETEP from entering FIPS mode if ETPM detects EncrypTight distributed key
policies that contain non-FIPS approved algorithms.
policies that contain non-FIPS approved algorithms.
The ETEP prevents entry into FIPS mode when any of the following conditions are true:
●
EncrypTight distributed key policies are installed that use non-FIPS approved algorithms
●
IKE policies are configured on the management port interface that use non-FIPS approved algorithms
●
Manual key policies are installed on the management port interface. If you plan to use manual key
policies, deploy them after FIPS mode is enabled on the ETEP.
policies, deploy them after FIPS mode is enabled on the ETEP.
●
SNMPv3 configuration uses cryptography for SNMP trap hosts, but no IPsec policy has been
configured to protect the SNMP traffic for each specific trap host
configured to protect the SNMP traffic for each specific trap host
●
The debug shell is in use
●
Strict client authentication is enabled on the management port
If you plan to use strict authentication to secure management port communications, you must enable
FIPS mode prior to enabling strict authentication. To learn more about using strict authentication, see
the
If you plan to use strict authentication to secure management port communications, you must enable
FIPS mode prior to enabling strict authentication. To learn more about using strict authentication, see
the
and
Related topics:
●
●
●
●
ETEP CLI User Guide, “FIPS 140-2 Level 2 Operation”
Enabling FIPS Mode
To configure the ETEP for FIPS operation, select the Enable FIPS Mode checkbox.
After pushing a FIPS-enabled configuration to the ETEP, it takes several minutes for the ETEP to enter
FIPS mode. Some communications services are reset when FIPS is enabled and disabled. SSH sessions
are terminated, and cannot be reestablished until FIPS mode is fully operational. You may experience a
brief loss of connectivity between the ETEP and ETEMS.
FIPS mode. Some communications services are reset when FIPS is enabled and disabled. SSH sessions
are terminated, and cannot be reestablished until FIPS mode is fully operational. You may experience a
brief loss of connectivity between the ETEP and ETEMS.
When putting the ETEP in FIPS mode, the ETEP performs the following actions and self-tests:
●
Runs self-tests during the boot process and when entering FIPS mode that include cryptographic
algorithm tests, firmware integrity tests, and critical function tests
algorithm tests, firmware integrity tests, and critical function tests
Table 103 FIPS approved encryption and authentication algorithms
Encryption algorithms
Authentication algorithms
3des-cbc
sha1-96-hmac
aes128-cbc
sha2-256-hmac
aes256-cbc
sha2-384-hmac