Views:

Before you begin

Before you can enable FIPS on a managed IPS device, you must make sure that FIPS mode is disabled on the SMS. If the SMS does have FIPS mode enabled, enable FIPS on the IPS device using the IPS CLI. Refer to the product document for your IPS device.
Note
Note
You must reboot the device to completely enable or disable this service.
The following table describes the FIPS settings available for IPS devices.
Setting Description
None No FIPS compliance actions or restrictions are activated on the device.
Crypto
The device uses cryptographic libraries certified by the National Institute of Standards and Technology to be compliant with FIPS 140-2 publication.
You must reboot the device for the system to operate in FIPS Cryptography mode.
Full The SMS displays the Changing FIPS Mode wizard. Complete this wizard to enable full FIPS mode on the device. The SMS will delete all existing users on the device and will replace it with the user defined in the wizard.
The SMS will also rekey the device with a FIPS compliant key.

Procedure

  1. Select DevicesAll Devicesdevice, and then click Device Configuration.
  2. Select FIPS Settings.
  3. For FIPS Mode, select the Full radio button, and then click OK.
  4. Click Next when the Changing FIPS Mode wizard is displayed.
  5. Enter a username, enter and confirm your password, and then click Next.
  6. Review your choices and click Finish.
    • If the SMS can communicate with the TMC, it will download and install the FIPS key package.
    • If the SMS cannot communicate with the TMC, the following error message instructs you to manually rekey the device:
  7. Close the message and download the FIPS key package from the TMC to your computer.
  8. After the device completes rebooting, navigate to SystemUpdateInstall Package on the device LSM.
  9. In Step 4 of the Install Package page, browse to your FIPS key package and click Install Package.
    If you receive the following error message, click OK, manually reboot the device, and repeat the previous two steps. The IPS should accept this second attempt to install the FIPS key package.

Next steps

Verify that the device is in Full FIPS mode by doing any of the following:
  • Enter sh fips on the CLI.
  • From the SMS, select the Device Configuration for your device and view the FIPS Mode status under Management Services.
If you see a Socket Closed SMS error message when trying to add an IPS in FIPS mode, run the fips restore-ssl command from the IPS CLI.
After running this command, navigate to the SystemUpdateInstall Package on the device LSM to reinstall the FIPS key package. This ensures that the IPS will use keys that meet FIPS strength requirements.