Enabling / Disabling the CC Mode and FIPS Mode
- Naveen J Oommen
Note
Infoblox recommends that you do not change the Common Criteria or FIPS setting of a NIOS appliance that is in a production environment.
This topic explains how to enable or disable the Common Criteria (CC) or the Federal Information Processing Standard (FIPS) 140-3 security standards mode in NIOS. It also lists the Infoblox appliances that can be made Common Criteria or FIPS compliant.
Prerequisite
Before you enable the Common Criteria or the FIPS mode, you must reset the NIOS appliance to its original factory settings. This removes the database, network settings, logs, and configuration files. The appliance then restarts with its factory settings, which are the default user name, password, and default network settings. If you do not reset the appliance to its original factory settings, the appliance will not be Common Criteria or FIPS compliant even if you enable the Common Criteria or the FIPS mode, respectively.
Note
Only superusers can access the CLI. To ensure security, access to the CLI is permitted through a direct console connection only. Activating the Enable Remote Console Access option in the Grid Properties Editor or in the Member Properties Editor results in a non-compliant system. For instructions to access the CLI through a console port, see Console Port Access.
After you log in, change the default user name and password of the default superuser admin to prevent unauthorized access to the CLI. For more information on changing passwords, see Changing the Password and Email Address.
To reset the NIOS appliance to its factory settings, complete the following steps:
Log in to the NIOS CLI using a superuser account.
Run the following CLI command:
reset all
For FIPS mode:
The following algorithms are not recommended as they are not compliant to FIPS 140-3:
DES-CBC-MD5
DSA
RSASHA1
MD5
TLS1.0 and TLS 1.1
Port Settings for FIPS/CC Compliance
Following is a list of port usage with the communication types used in FIPS/CC mode:
22 - OpenVPN server port used for Grid communication, both with and without Secure Shell (SSH) tunnel.
1023 - OpenVPN server port used for the passive node to connect with the active node only when when the Grid member is in HA mode. When the Grid Master is in HA mode, the passive node communicates with the active node only on port 1194.
9994/9993 - OpenVPN remote port to which members connect through the SSH tunnel. These ports are used locally on the client/member side as SSH tunnel listening points, forwarding OpenVPN traffic to the remote server. They do not need to be opened for firewall purposes.
2294 - Local port of the Grid member used to connect to the Grid Master's OpenVPN server port during the SSH tunnel setup. The passive node also uses the same port number to communicate with the active node even when it is an HA member. 2294 is the local port that the Grid member binds to for sending outbound traffic.
21197 - Network Insight probe OpenVPN port to connect with the consolidator.
Enabling / Disabling the CC Mode
You can enable or disable the Common Criteria mode only from the NIOS CLI. To set the Common Criteria mode on an appliance, complete the following steps:
Log in to the NIOS CLI.
After executing the
reset allcommand, log in to the CLI by using the default superuser admin name admin and password infoblox.Type the following command:
set cc_mode
The CLI reboots and goes through boot-time self tests. If the test fails, the CLI goes into a loop and displays an error message on the serial console and the LCD. Otherwise, it displays the login prompt after the self tests.
Note
To clear the Common Criteria mode from an appliance, log in to the NIOS CLI and run the following command:reset all
Enabling / Disabling the FIPS Mode
You can enable the FIPS mode in the following setups:
In a Grid, you can set the FIPS mode only on Grid Master. The setting is propagated to all Grid members during the joining process. After the configuration is changed, Grid members are restarted.
You can set the FIPS mode on standalone systems.
In an HA setup, you can set the FIPS mode only on the standalone Grid Master, and then configure it as a node in the HA pair. Perform the same step for the second node of the HA pair. You cannot change the FIPS mode setting on the HA Grid Master or on the HA member.
You can enable or disable the FIPS mode only from the NIOS CLI. To set the FIPS mode on an appliance, complete the following steps:
Log in to the NIOS CLI.
After executing the
reset allcommand, you can log in to the CLI only by using the default superuser admin name admin and password infoblox.Type the following command:
set fips_modeWhen prompted with
Enable FIPS Mode?, typeyto enable the FIPS mode ornto disable it. See the following example:Infoblox > set fips_modeEnable FIPS mode? (y or n): yNew FIPS Mode Settings:FIPS mode enabled: Yesis this correct? (y or n): yPlease refer to the Guidance Documentation Supplement Appendix of theNIOS Administrator Guide for the requirements to operate a grid in a FIPS compliant manner.The system will be rebooted to place it into FIPS mode.Are you sure you want to continue (y or n): yIntegrity private key and certificate were generated successfully.Sign executable files by sha256sum...
When you enable the FIPS mode, the NIOS appliance restarts and goes through boot-time self tests. If the tests fail, the appliance goes into a loop and displays an error message on the serial console and the LCD. Otherwise, it displays the login prompt after completing the self tests.
For username - admin, enabling FIPS mode will prompt you to change your password, in a new Grid, if the password is not changed before enabling FIPS mode.
To migrate the Grid communication between the Grid Master and members to FIPS/CC compliant state use the set distributed_grid_comm_mode and use the show distributed_grid_comm_mode to display if a if NIOS Grid is in the FIPS/CC compliant mode or not.
Upgrade Guidelines in FIPS mode
On a FIPS-enabled mode, during a fresh installation or after an upgrade, you are now prompted to change the password for the default ‘admin’ user (only for the first login) even if it was changed in the previous versions.
However, if FIPS mode is not enabled during the upgrade, consider the following if you wish to enable FIPS mode post upgrade:
If you change the password for the username - admin before enabling FIPS mode, no further password change is needed after enabling FIPS mode.
If you do not change the password for the username - admin before enabling FIPS mode, you will need to change the password after enabling FIPS mode.
On a FIPS-enabled mode, during a staged upgrade, after the Grid Master is upgraded, the changed password for the 'admin' user will not propagate to the members that are waiting to upgrade until those members are upgraded.
If FIPS is enabled on a Grid, upon an upgrade, Grid communication is not automatically in the FIPS-compliant mode. Run the
set distributed_grid_comm_modeCLI command to get the Grid communication in the compliant mode. A banner is displayed in Grid Manager until NIOS transitions into the FIPS/CC compliant mode. For more information about the command, see set distributed_grid_comm_mode.
Common Criteria and FIPS Compliant Appliances
The Trinzic, Network Insight, and Trinzic reporting appliances that can be made Common Criteria or FIPS 140-3 compliant, are as follows:
Trinzic Appliance Series | Common Criteria/FIPS Compliant Appliances |
|---|---|
805 series | TE-815 |
1405 series | TE-1415 |
2205 series | TE-2215 |
4005 series | TE-4015 |