Enable FIPS mode

It is important that you follow this procedure to make sure that you enable Federal Information Processing Standards (FIPS) mode correctly.

About this task

When you switch to Federal Information Processing Standards (FIPS) mode, local user Web user interface (UI) passwords become invalid. To take advantage of FIPS encryption, you can use the n2os-passwd command to reset the passwords.

The n2os-passwd <USER> command takes several seconds to several minutes to prompt the user for a new password. On the R50 platform, the prompt may take up to three minutes.

Important:
When you enable FIPS, it is critical that you change the password for EVERY Web UI local user.

Procedure

  1. Log into the console.
  2. To go to privileged mode, enter this command:
    enable-me
    You can now perform system changes.
  3. Note:
    For Central Management Console (CMC)s, version 23.1.0 or later, it is not necessary to do the next step.
    Note:
    For Guardians, version 23.1.0 or later, you can also do the next two steps after you have enabled FIPS.
    To configure the FIPS license, enter the command:
    echo 'conf.user configure license fips xxxxxxxx' | cli
  4. Note:
    For CMCs, version 23.1.0 or later, it is not necessary to do the next step.
    To restart the intrusion detection system (IDS), enter the command:
    service n2osids stop
    The IDS stops. After a few seconds, it will automatically start again.
  5. To enable FIPS mode, enter the command:
    n2os-fips-enable
    The system automatically reboots.
  6. In the container edition, stop the current container and start a new one with the same settings.
  7. To change the password for every user, enter the command:
    n2os-passwd <USER>
  8. Log in to the sensor.
  9. In the top navigation bar, select Administration icon - which looks like a gear cog
    The administration page opens.
  10. In the System section, select Updates and licenses.
    The Updates and licenses page opens.
  11. In the Current license section for FIPS, make sure that the License status shows ok.
  12. Do this procedure again for all CMCs and Guardians.