Document toolboxDocument toolbox

Enabling / Disabling the CC Mode and FIPS Mode

Owned by Panna .
Jun 20, 2022
3 min read

Note

Infoblox recommends that you do not change the Common Criteria or FIPS setting of a NIOS appliance that is in a production environment.

This topic explains how to enable or disable the Common Criteria (CC) or the Federal Information Processing Standard (FIPS) 140-2 security standards mode in NIOS. It also lists the Infoblox appliances that can be made Common Criteria or FIPS compliant.

Prerequisite

Before you enable the Common Criteria or the FIPS mode, you must reset the NIOS appliance to its original factory settings. This removes the database, network settings, logs, and configuration files. The appliance then restarts with its factory settings, which are the default user name, password, and default network settings. If you do not reset the appliance to its original factory settings, the appliance will not be Common Criteria or FIPS compliant even if you enable the Common Criteria or the FIPS mode, respectively.

Note

  • Only superusers can access the CLI. To ensure security, access to the CLI is permitted through a direct console connection only. Activating the Enable Remote Console Access option in the Grid Properties Editor or in the Member Properties Editor results in a non-compliant system. For instructions to access the CLI through a console port, see Console Port Access.
  • After you log in, change the default user name and password of the default superuser admin to prevent unauthorized access to the CLI. For more information on changing passwords, see Changing the Password and Email Address.

To reset the NIOS appliance to its factory settings, complete the following steps:

  1. Log in to the NIOS CLI using a superuser account.
  2. Run the following CLI command:
    reset all

Enabling / Disabling the CC Mode

You can enable or disable the Common Criteria mode only from the NIOS CLI. To set the Common Criteria mode on an appliance, complete the following steps:

  1. Log in to the NIOS CLI.
  2. After executing the reset all command, log in to the CLI by using the default superuser admin name admin and password infoblox.
  3. Type the following command:
    set cc_mode 

The CLI reboots and goes through boot-time self tests. If the test fails, the CLI goes into a loop and displays an error message on the serial console and the LCD. Otherwise, it displays the login prompt after the self tests.

Note

To clear the Common Criteria mode from an appliance, log in to the NIOS CLI and run the following command:
reset all

Enabling / Disabling the FIPS Mode

You can enable the FIPS mode in the following setups:

  • In a Grid, you can set the FIPS mode only on Grid Master. The setting is propagated to all Grid members during the joining process. After the configuration is changed, Grid members are restarted.
  • You can set the FIPS mode on standalone systems.
  • In an HA setup, you can set the FIPS mode only on the standalone Grid Master, and then configure it as a node in the HA pair. Perform the same step for the second node of the HA pair. You cannot change the FIPS mode setting on the HA Grid Master or on  the HA member.

You can enable or disable the FIPS mode only from the NIOS CLI. To set the FIPS mode on an appliance, complete the following steps:

  1. Log in to the NIOS CLI.
  2. After executing the reset all command, you can log in to the CLI only by using the default superuser admin name admin and password infoblox.
  3. Type the following command:
    set fips_mode 

    When prompted with Enable FIPS Mode?, type y to enable the FIPS mode or n to disable it. See the following example:

    Infoblox > set fips_mode
    Enable FIPS mode? (y or n): y
    New FIPS Mode Settings:
      FIPS mode enabled: Yes
        is this correct? (y or n): y
    Please refer to the Guidance Documentation Supplement Appendix of the NIOS Administrator Guide for the requirements to operate a grid in a FIPS compliant manner.
    The system will be rebooted to place it into FIPS mode. Are you sure you want to continue (y or n): y
    Integrity private key and certificate were generated successfully.

When you enable the FIPS mode, the NIOS appliance restarts and goes through boot-time self tests. If the tests fail, the appliance goes into a loop and displays an error message on the serial console and the LCD. Otherwise, it displays the login prompt after completing the self tests.

Note

To clear the FIPS mode from an appliance, log in to the NIOS CLI and run the following command:
reset all

Common Criteria and FIPS Compliant Appliances

The Trinzic, Network Insight, and Trinzic reporting appliances that can be made Common Criteria or FIPS 140-2 compliant, are as follows:

Trinzic Appliance SeriesCommon Criteria/FIPS Compliant Appliances
805 series

TE-815
TE-V815
TE-825
TE-V825
TR-805
TR-V805
ND-805
ND-V805

1405 seriesTE-1415
TE-V1415
TE-1425
TE-V1425
TR-1405
TR-V1405
ND-1405
ND-V1405
2205 seriesTE-2215
TE-V2215
TE-2225
TE-V2225
TR-2205
TR-V2205
ND-2205
ND-V2205
4005 seriesTE-4015
TE-V4015
TE-4025
TE-V4025
TR-4005
TR-V4005
ND-4005
ND-V4005