McDewey

This command enables, disables, or displays the status of FIPS 140-2 mode. FIPS 140-2 mode is disabled by default; only an administrator can enable FIPS. FIPS Mode and Enhanced Security Mode do not support MD5 or DES encryption methods. If SNMPv3 setting is enabled using both MD5 and DES, then enabling FIPS Mode or Enhanced Security Mode changes these encryption methods to SHA-1 and AES-128 respectively. Note Command Syntax utils fips {enable | disable | status} Syntax Description Description Parameters Activates FIPS 140-2 mode. enable Deactivates FIPS 140-2 mode. disable Displays the status of FIPS 140-2 mode. status Command Modes Administrator (admin:) Usage Guidelines Before enabling FIPS mode, we recommend that you perform a system backup. If FIPS checks fail at start-up, the system halts and requires a recovery CD to be restored. Consider the following information before you enable FIPS 140-2 mode: • After FIPS mode is enabled on a server, please wait until the server reboots before enabling FIPS on the next server. • In FIPS mode, the Cisco Emergency Responder service uses Red Hat Openswan (FIPS validated) in place of Racoon (non-FIPS validated). If the security policies in Racoon contain functions that are not FIPS approved, the CLI command asks you to redefine the security policies with FIPS approved functions and abort. Certificates and SSH key are regenerated automatically, in accordance with FIPS requirements. Note Consider the following information before you disable FIPS 140-2 mode: In multiple server groups, each server must be disabled separately; FIPS mode is not disabled group-wise but on a per server basis. Requirements Command privilege level: 0 Allowed during upgrade: No Cisco Emergency Responder Command Line Interface Guide for Release 15 108 CLI Commands utils fips