Entering FIPS mode through manual reboot

Network requirements

Use the manual reboot method to enter FIPS mode, and use a console port to log in to the device in FIPS mode.

Configuration procedure

# Enable the password control function globally.

<Sysname> system-view
[Sysname] password-control enable

# Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character.

[Sysname] password-control composition type-number 4 type-length 1

# Set the minimum length of user passwords to 15 characters.

[Sysname] password-control length 15

# Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal.

[Sysname] local-user test class manage
[Sysname-luser-manage-test] password simple 12345zxcvb!@#$%ZXCVB
[Sysname-luser-manage-test] authorization-attribute user-role network-admin
[Sysname-luser-manage-test] service-type terminal
[Sysname-luser-manage-test] quit

# Enable FIPS mode, and choose the manual reboot method to enter FIPS mode.

[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue? [Y/N]:y
Reboot the device automatically? [Y/N]:n
Change the configuration to meet FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter FIPS mode.

# Save the current configuration to the root directory of the storage medium, and specify it as the startup configuration file.

[Sysname] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to device successfully.
[Sysname] quit

# Delete the startup configuration file in binary format.

<Sysname> delete flash:/startup.mdb
Delete flash:/startup.mdb?[Y/N]:y
Deleting file flash:/startup.mdb...Done.

# Reboot the device.

<Sysname> reboot

Verifying the configuration

After the device reboots, enter a username of test and a password of 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode. The new password must be different from the previous password. It must include at least 15 characters, and contain uppercase and lowercase letters, digits, and special characters. For more information about the requirements for the password, see the system output.

Press ENTER to get started.
login: test
Password:
First login or password reset. For security reason, you need to change your pass
word. Please enter your password.
old password:
new password:
confirm:
Updating user information. Please wait ... ...
…
<Sysname>

# Display the current FIPS mode state.

<Sysname> display fips status
FIPS mode is enabled.