The Federal Information Processing Standard, or FIPS 140-2, is a computer security standard for cryptographic modules used by the U.S. government. FIPS 140-2 specifies the security requirement that a cryptographic module must meet to protect the classified or sensitive data.
OpenSSL libraries include a set of cryptographic algorithms compliant with FIPS 140-2, which is invoked when the library is initiated in FIPS mode. You can enable the FIPS mode using the FIPS_ENABLED parameter that controls the usage of OpenSSL FIPS-certified cryptographic modules. You can set the parameter through the 46xxsettings.txt file or DHCP option 242.
Note:
In FIPS mode, the CONFIG_SERVER_SECURE_MODE parameter value should be set to 1 ensuring only HTTPS is used to access the configuration server.
Disable the following features when enabling the FIPS mode on the phone:
-
SSH Server.
-
SCEP certificate enrollment: When a phone runs in FIPS mode, identity certificate enrollment through SCEP is disabled by the software. If identity certificate is generated before FIPS_ENABLED is set to 1, it can still use the existing identity certificate after phone reboot. However, you must not use identity certificates generated using SCEP when FIPS_ENABLED is set to 0 and the phone is configured to work in FIPS mode. The most secure way to install identity certificate is to clear any installed identity certificate and install PKCS#12 file after configuring the phone to FIPS mode. Thereafter, FIPS 140-2 approved cryptographic algorithms can be used to decrypt PKCS#12 file.
-
SLA Mon.
-
802.1x with EAP-MD5 or EAP-PEAP authentication. EAP-TLS is allowed.
-
WML Browser.
-
Push.
-
HTTPSRVR. You must use TLSSRVR for file downloading.
-
HTTP in OCSP_URI or Authority Information Access (AIA) of a certificate. Ensure that the URI in OCSP_URI or AIA of a certificate is HTTPS.
-
Microsoftâ„¢ Exchange
Once you enable FIPS mode, the phone reboots and runs the OpenSSL FIPS self-test. After the test is completed successfully, the phone displays the message FIPS mode activated, restarting…. After reboot, FIPS mode is in effect. If the FIPS-mode self-test fails, the phone displays the message FIPS self-test failure. Here the phone also displays two options:
-
Program: The phone prompts for a CRAFT password. After you enter the CRAFT password, the phone boots up in non-FIPS mode.
-
Reboot: The phone reboots.
Note:
All the logs are stored in SYSLOG. These logs might be referred to for the troubleshooting purpose.
