Installing a FIPS Feature Set and Upgrading a FIPS System

2 Installing a FIPS Feature Set and Upgrading a FIPS System

This chapter describes the procedure for installing a FIPS feature set (if one is not already present on the system) and upgrading the image on a system that already has FIPS provisioned.

Note:

You enable the FIPS feature set via the Data Integrity entitlement by way of the setup entitlements command.

When enabling the FIPS feature set, the E-SBC warns the user with the following message:

CAUTION: Enabling this feature activates enhanced FIPS security functions. Once saved, factory rest may be required.

Installing a FIPS Feature Set

For the method in which the FIPS feature is installed, see the Session Border Controller Release Notes. For instructions on provisioning the FIPS feature, see the Session Border Controller ACLI Configuration Guide.

Upgrading the Image on a FIPS Enabled System

This procedure assumes that the FIPS feature is already installed on the system. If the FIPS feature set on your system expires, you must install a valid FIPS feature. For more information on installing a FIPS feature set, see "Installing a FIPS Feature Set".

The following are required to install the FIPS feature set:

SSH File Transfer Protocol (SFTP) client with access to the target Acme Packet platform.
SFTP access to the target Acme Packet platform's management IP address.
Access to the FIPS software image to which you are upgrading.

Note:

You must follow this procedure on a running device:

Use SFTP to transfer <release>.bz into /booton the target Acme Packet platform.

Verify the correct image file has been uploaded. The following is an example of how to verify the image:

sd225v# check-boot-file /boot/nnECZ750b4.bz
Verifying signature of /boot/<release>.bz
Version: Acme Packet ECZ7.5.0 Beta 4 (WS Build 48) 201705130547
Image integrity verification passed

Replace the boot file with the newly uploaded image. The following is an example of how to replace the boot file:

sd225v# set-boot-file /boot/<release>.bz
Verifying signature of /boot/<release>.bz
Version: Acme Packet <release> Beta 4 (WS Build 48) 201705130547
old boot file /boot/bzImage being replaced with /boot/<release>.bz

Execute the reboot force command to reboot the system.

sd225v# reboot force
……
Starting sysmand...                                                    
---------------------------------------------------------              
This product contains third-party software provided under              
one or more open source licenses. Type "show about" after              
logging in for full license details.                                   
---------------------------------------------------------              


...
       
                               
Mocana FIPS Power Up Self Test: Started...
Mocana FIPS Power Up Self Test: Finished

FIPS_RSA_Signature_Verify: PASSED!!!
Starting tSecured...
Starting tAuthd...
Starting tCertd...
Starting tIked...
Starting tTscfd...
Starting tAppWeb...
Starting tauditd...
Starting tauditpusher...
Starting tSnmpd...
Starting snmpd...
Start platform alarm...
Starting tIFMIBd...
Initializing /opt/ Cleaner
Starting tLogCleaner task
Bringing up shell...

*************************************************************
*    System is in FIPS 140-2 level-2 compatible mode.      *
*    FIPS: All Power on self test completed successfully.   *
*************************************************************
password secure mode is enabled
Admin Security is disabled
Starting SSH...
SSH_Cli_init: allocated memory for 5 connections

*************************************************************
***    System is in FIPS 140-2 level-2 compatible mode.   ***
*************************************************************
Password: