2 Installing a FIPS Feature Set and Upgrading a FIPS System

This chapter describes the procedure for installing a FIPS feature set (if one is not already present on the system) and upgrading the image on a system that already has FIPS provisioned.

Note:

You enable the FIPS feature set via the Data Integrity entitlement by way of the setup entitlements command.

When enabling the FIPS feature set, the ESBC warns the user with the following message:

CAUTION: Enabling this feature activates enhanced FIPS security functions. Once saved, factory rest may be required.

Installing a FIPS Feature Set

For the method in which the FIPS feature is installed on the Enterprise Session Border Controller and Enterprise Session Router, see the Enterprise Session Border Controller and Enterprise Session Router Release Notes. For instructions on provisioning the FIPS entitlement, see the Enterprise Session Border Controller ACLI Configuration Guide.

Enabling the FIPS Feature Set on the Enterprise Session Router

Unlike the ESBC, you must perform the steps in this procedure before any other FIPS enablement procedures on and Oracle Enterprise Session Router. After performing these steps, you set up your ESR for FIPS under the same conditions and using the same procedures as an ESBC:

1. From the ACLI command prompt, run the show users command.
2. Terminate any extraneous, open management sessions with the exception of your own.
3. From the ACLI command prompt, run the update-grub command.
4. Reboot your Oracle Enterprise Session Router.
5. Enable FIPS using setup entitlements, as well as all other FIPS enablement steps.

Note:

Do not run the update-grub command if there are more than one active ACLI sessions. If so, enabling FIPS may fail. You determine whether there are additional ACLI sessions using the show users command. Applicable management sessions include open shells, ssh sessions and console sessions.

Upgrading the Image on a FIPS Enabled System

This procedure assumes that the FIPS feature is already installed on the system. If the FIPS feature set on your system expires, you must install a valid FIPS feature. For more information on installing a FIPS feature set, see "Installing a FIPS Feature Set".

The following are required to install the FIPS feature set:

• SSH File Transfer Protocol (SFTP) client with access to the target Acme Packet platform.
• SFTP access to the target Acme Packet platform's management IP address.
• Access to the FIPS software image to which you are upgrading.

Note:

You must follow this procedure on a running device:

Note:

The steps below use the text, <release>, as a variable to generalize the file's release version.

1. SFTP the software image (*.bz) and Stage3 boot loader (*.boot) to /code/images/.

   [Downloads]$ ls -l
   total 163380
   -rw-r--r-- 1 bob src  15591728 Dec  9 14:45 <release>.boot
   -rw-r--r-- 1 bob src 151705904 Dec  9 14:45 <release>.bz
   [Downloads]$ sftp admin@10.1.1.3
   Connected to admin@10.1.1.3.
   sftp> cd /code/images/
   sftp> put *
   Uploading nnSCZ900p12.boot to /code/images/<release>.boot
   nnSCZ840p3.boot                 100%   15MB  30.8MB/s   00:00
   Uploading nnSCZ840p3.bz to /code/images/<release>.bz
   nnSCZ900p12.bz                   100%  145MB  48.3MB/s   00:02 
   sftp> bye
   [Downloads]$

2. SSH to your target machine.
3. Run set-boot-loader with the path to the new bootloader.

   ORACLE# set-boot-loader /code/images/<release>.boot
   Verifying signature of /code/images/<release>.boot
   Version: Acme Packet <release> (Build 188) 202010201742
   
   Image integrity verification passed
   
   Successfully copied /code/images/<release>.boot to /boot/bootloader
   ORACLE#

4. Verify the correct image file has been uploaded. The following is an example of how to verify the image:

   ORACLE# check-boot-file /code/images/<release>.bz
   Verifying signature of /code/images/<release>.bz
   Version: Acme Packet <release> (WS Build 48) 201705130547
   Image integrity verification passed
   

5. Run set-boot-file with the path to the new software image.

   ORACLE# set-boot-file /code/images/<release>.bz
   Verifying signature of /code/images/<release>.bz
   Version: Acme Packet SCZ9.0.0 Patch 12 (Build 188) 202010201720
   
   Image integrity verification passed
   old boot file /boot/bzImage being replaced with /code/images/<release>.bz
   ORACLE#

6. Execute the reboot force command to reboot the system.

   ORACLE# reboot force
   ……
   Starting sysmand...                                                    
   ---------------------------------------------------------              
   This product contains third-party software provided under              
   one or more open source licenses. Type "show about" after              
   logging in for full license details.                                   
   ---------------------------------------------------------              
   
   
   ...
          
                                  
   Mocana FIPS Power Up Self Test: Started...
   Mocana FIPS Power Up Self Test: Finished
   
   FIPS_RSA_Signature_Verify: PASSED!!!
   Starting tSecured...
   Starting tAuthd...
   Starting tCertd...
   Starting tIked...
   Starting tTscfd...
   Starting tAppWeb...
   Starting tauditd...
   Starting tauditpusher...
   Starting tSnmpd...
   Starting snmpd...
   Start platform alarm...
   Starting tIFMIBd...
   Initializing /opt/ Cleaner
   Starting tLogCleaner task
   Bringing up shell...
   
   *************************************************************
   *    System is in FIPS 140-2 level-2 compatible mode.      *
   *    FIPS: All Power on self test completed successfully.   *
   *************************************************************
   password secure mode is enabled
   Admin Security is disabled
   Starting SSH...
   SSH_Cli_init: allocated memory for 5 connections
   
   *************************************************************
   ***    System is in FIPS 140-2 level-2 compatible mode.   ***
   *************************************************************
   Password: