After you have saved the configuration, reload the device using the reload command.
device# reload
Various tests, including Power-On Self-Test (POST), MACSec config integrity test (only when FIPS is enabled), and Known Answer Tests (KATs), are run by the Extreme device during reload, during the transition between non-FIPS mode and FIPS mode.
POST checks for the consistency of the FIPS-approved algorithms implemented on the device.
KATs are used to exercise various features of FIPS-approved algorithms.
All interfaces on the device are down until the tests are completed successfully.
Possible POST failure messages indicating that the tests did not pass successfully include the following messages:
Crypto module initialization and KNown Answer Test (KAT) failed with reason:(Error Code 0x80000000)‘CKR_VENDOR_DEFINED‘ FIPS: Primary image verification failed FIPS: Secondary image verification failed
Note
Contact Extreme Technical Support if the error repeats again.Use the fips self-test command to run tests on demand, in both FIPS mode and non-FIPS mode. Refer to Running FIPS self-test.
After all tests are completed successfully, the device reloads in FIPS mode and FIPS mode is successfully enabled and operational on the Extreme device.
You can verify the status of the device as operationally in FIPS mode by using the fips show command.
The following example shows fips show command output after the device reloads successfully in the default strict FIPS mode, and administrative status is on and operational status is on.
device# fips show
Cryptographic Module Version: EXTR-NI-IP-CRYPTO-VER-4.0
FIPS mode: Administrative status ON: Operational status ON
Common-Criteria: Administrative status OFF: Operational status OFF
System Specific
OS monitor access status is: Disabled
Management Protocol Specific:
Telnet server: Disabled
Telnet client: Disabled
TFTP client: Disabled
HTTPS SSL 3.0: Disabled
SNMP Access to security objects: Disabled
Critical security Parameter updates across FIPS boundary:
Protocol Shared secret and host passwords: Clear
Password Display: Disabled
HTTPS RSA Host Keys and Signature: Clear
SSH DSA Host keys: Clear
SSH RSA Host keys: Clear
The following example shows the output of the fips show command on a NetIron CER device, after the device reloads successfully in the default strict FIPS mode, and administrative status is on and operational status is on.
device(config)# fips show FIPS Validated Cryptographic Module MP FIPS Version: EXTR-NI-IP-CRYPTO-VER-4.0 LP FIPS Version: EXTR-NI-LP-CRYPTO-VER-2.0 FIPS mode : Administrative status ON: Operational status ON FIPS CC mode: Administrative status OFF: Operational status OFF System Specific: OS monitor access status is: Disabled Management Protocol Specific: Telnet server : Disabled Telnet client : Disabled TFTP client : Disabled HTTPS SSL 3.0 : Disabled SNMP v1, v2, v2c : Disabled SNMP Access to security objects: Disabled Password Display : Disabled Critical security Parameter updates across FIPS boundary: (i.e. during "fips zeroize" ..., or "no fips enable") : Protocol Shared secret and host passwords: Clear SSH RSA Host keys : Clear HTTPS RSA Host Keys and Signature : Clear