ACLI Commands

These ACLI commands and parameters support FIPS compliancy.

show security fips

The show security fips ACLI command displays the FIPS state. The following is an example of Acme Packet platform output. 

ACMEPACKET# show security fips

*************************************************************
***    System is in FIPS 140-2 level-2 compatible mode.   ***
*************************************************************
ACMEPACKET##
The following is an example of VME output: 
ACMEPACKET# show security fips

*************************************************************
***    System is in FIPS 140-2 level-1 compatible mode.   ***
*************************************************************

If the Oracle® Enterprise Session Border Controller transitions from FIPS 140-2 to non-FIPS mode due to a self-test fail, the system is no longer accessible and you must use the Oracle Rescue Account and perform a manufacture reset on the module. For more information on performing a manufacture reset, see Accessing the Oracle Rescue Account. 

ACMEPACKET# show security fips  

************************************************************
*** System is NOT in FIPS 140-2 level-2 compatible mode. 
*** FIPS Error - Software image integrity check failed 
************************************************************ 
ACMEPACKET#

The following example displays some of the error messages you may see: 

AES CBC with 128 bit key test failed.
AES CBC with 192 bit key test failed.
AES CBC with 256 bit key test failed.
AES CTR with 128 bit key test failed.
AES CTR with 192 bit key test failed.
AES CTR with 256 bit key test failed.
3DES CBC test failed.
SHA1 test failed.
SHA256 test failed.
HMAC-SHA1 test failed.
HMAC-SHA256 test failed.
Continuous DRBG failed.
DRBG with known entropy failed.
DRBG instantiate health test failed.
DRBG reseed health test failed.
DRBG generate health test failed.
DRBG conditional test failed.
BCM RNG test failed.
RSA crypto failed.
RSA pairwise consistency test failed.
RSA pairwise consistency Conditional test failed.
Software image integrity check failed.
BCM security processor not present.
HiFN not present on media phy card.
HiFN not present on wancom.

show security ssm-accelerator

The show security ssm-accelerator command displays the SSM status on the E-SBC, allowing you to verify offloading to Nitrox. The following is an example of Acme Packet platform output: 

ACMEPACKET# show security ssm-accelerator
SSM (Signaling Security Module) V3 present.

Driver Version: 5.3.1

Driver Compile time defines
----------------------------
MAIN LINE PROTOCOL used : SSL
MICROCODE used : MC2

------------------------------------------------------------------------
                             SSL Record Processing
------------------------------------------------------------------------
                      Record Encrypt           Record Decrypt
Packet Requests:                0                       0
Packet Aborts:                  0                       0
Bytes In:                       0                       0
Bytes Out:                      0                       0
------------------------------------------------------------------------

                       Crypto Processing
------------------------------------------------------------------------
                           Encrypt                 Decrypt
Packet Requests:                0                       0
Packet Aborts:                  0                       0
Bytes In:                       0                       0
Bytes Out:                      0                       0
------------------------------------------------------------------------
                              HMAC
Packet Requests:                0
Packet Aborts:                  0
Bytes In:                       0
Bytes Out:                      0

ACMEPACKET#

encrypt-algorithm

The configuration parameter encrypt-algorithm, under SNMP-user-entry, allows SNMP V3 to use AES128 encryption instead of DES. The encrypt-algorithm parameter defaults to DES.

Below is an example of a configured SNMP-user-entry and the corresponding trap-receiver. 

ACMEPACKET# configure terminal  
ACMEPACKET(configure)# system 
ACMEPACKET(system)# SNMP-user-entry  
ACMEPACKET(SNMP-user-entry)#show
snmp-user-entry
		user-name          fips
		auth-password      *****
		priv-password      *****
		encrypt-algorithm  aes128
		last-modified-by   admin@console
		last-modified-date 2015-05-11 14:26:15
Subsequently, you must configure trap-receiver, where the user-list contains the SNMP-user-entry just configured. 
ACMEPACKET(configure)# system 
ACMEPACKET(system)# trap-receiver  
ACMEPACKET(trap-receiver)# select (select the trap-receiver configured)
trap-receiver
		ip-address            172.30.0.144:161
		filter-level          all
		community-name                
		user-list             fips
		last-modified-by      admin@console
		last-modified-date    2015-05-11 16:19:24

Note:

You must save and activate the configuration after changing the encrypt-algorithm.
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents