Switching the Appliance to FIPS Mode
Use the fipsconfig CLI command to switch the appliance over to FIPS mode.
Note | Only
administrators can use this command. A reboot is required after switching the
appliance from non-FIPS mode to FIPS mode.
|
Before You Begin
Make sure that the appliance do not have any objects that are not FIPS compliant. To enable FIPS mode, you must modify all the non-FIPS-compliant objects to meet FIPS requirements. See Configuration Changes in FIPS Mode. For instructions to check if your appliance contains non-FIPS-compliant objects, see Checking FIPS Mode Compliance.
Procedure
mail.example.com> fipsconfig
FIPS mode is currently disabled.
Choose the operation you want to perform:
- SETUP - Configure FIPS mode.
- FIPSCHECK - Check for FIPS mode compliance.
[]> setup
In FIPS mode, the RSA certificates must have 2048 bits or more key length, and the MD5 algorithm is deprecated.
It is not recommended to add WSA (in FIPS or non-FIPS mode) to an SMA in FIPS Mode.
It is not recommended to add ESA in non-FIPS mode to an SMA in FIPS Mode.
It is not recommended to move SMA to FIPS Mode when the connected ESA or WSA is in non-FIPS mode.
To finalize FIPS mode, the appliance will reboot immediately. No commit will be required.
Are you sure you want to enable FIPS mode and reboot now ? [N]> y
Enter the number of seconds to wait before forcibly closing connections.
[30]>
System rebooting. Please wait while the queue is being closed...
Closing CLI connection.
Rebooting the system...