Federal Information Processing Standard (FIPS) 140-2 Mode

Updated October 26, 2021. Written for LMS Version 6.2.

Security Policy

The Uplogix Local Manager can be operated in a secure manner that complies with FIPS 140-2 for customers whose corporate security policy requires it. The latest FIPS Security Policy document is available here.

Enabling FIPS Mode

To enable FIPS mode, the Local Manager must be running the -g version of LMS software. On the Software Downloads page, two files are available for the Local Manager: lms.bin and lms-g.bin. Download and upgrade to the G version before continuing.

[admin@UplogixLM]# config update scp software@fileserver:software/envoy6.0/lms-g.bin
** Issuing this command will restart the system. ** 
Proceed? (y/n): y

You can use the show version command to verify your version.

[super@UplogixLM]# show ver

Model: Uplogix LM83x
Serial number: A123456789
LMS version: 6.0.0.35619g
LMS build: 20200221:041342
FIPS 140-2 mode: disabled
Slot 2 serial number: 
Slot 3 serial number: 
Slot 4 serial number: AM1229170029

For LMS version, the number should end in a g.

To enable FIPS mode, use the config system fips enable command. A strong warning will be presented.

[super@UplogixLM]# config system fips enable
** Issuing this command disables services and cryptographic algorithms to **
** comply with FIPS 140-2 rules and the Uplogix security policy.          **
**                                                                        **
** New SSH host keys will be generated.                                   **
**                                                                        **
** This system will not be able to talk to the management server,         **
** unless the management server is also running in FIPS mode.             **
**                                                                        **
** The system will reboot after changing its configuration.               **
**                                                                        **
** This process can only be undone with a factory reset which will result **
** in all data being lost.                                                **
**                                                                        **
** THIS PROCESS IS IRREVERSIBLE.                                          **

Proceed? (y/n) [n]: y
Enter your password to confirm: 

Once you confirm the operation and enter your password, the Local Manager will enable FIPS and reboot.

Verifying system integrity...
...................................
Updating configuration...
Clearing heartbeat certificates...
Clearing SSH host keys...
Clearing secure dial-in keys and certificate...
Clearing virtual-port SSH keys...
Clearing SMS key...
Restarting...
Connection to 198.51.100.26 closed by remote host.
Connection to 198.51.100.26 closed.

After the reboot, verify FIPS mode is enabled with the show version command.

[admin@UplogixLM]# show ver
All Rights Reserved. Uplogix and its respective logos are trademarks of Uplogix, Inc. in the United States and other
jurisdictions. This product is protected by U.S Patent 7,512,677 and other patents pending. The programs included herein are
subject to a restricted use license and can only be used in conjunction with this application.

Model: Uplogix LM83x
Serial number: A700000115
LMS version: 6.0.0.35619
LMS build: 20200221:041342
FIPS 140-2 mode: enabled
Slot 2 serial number: 
Slot 3 serial number: 
Slot 4 serial number: AM1229170029

FIPS mode is now enabled.

Updating the Heartbeat Certificate

Uplogix uses a certificate to secure communications between Local Managers and the Control Center. If your security policy requires this be updated from the default, you can do so with the config system crypto command.

Generate a CSR

Use the config system crypto csr command to generate a certificate signing request.

[admin@UplogixLM]# config system crypto csr
Common Name: A61134287X
Organizational unit: 
Organization: Uplogix
City: Columbia
State/Province/Region: Texas
2-letter country code: US
Country code 'US' is United States.
Email address (optional): 
Other Attributes: 
Generate? (y/n): y

Generating new 2048-bit key pair.

Please submit the Certificate request to your CA and then
return to "config sys crypto certificate client" with the newly
generated certificate.

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC0jCCAboCAQAwWjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1hcnlsYW5kMREw
OTEwMDEzNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBd/AOqdPN3
YJqeslEvn0wowZhGn3Bkj6A6mZm7/62fcMKiBWnNEkXYIJbQInIk3eEBiCxV3pud
b5QIkiOBom84ub2bQ70iNpuV3Xjj5IsVJzC3QVOE8JpuV3Xjj5IsVJzUhtWckSI1YxBsz
HzzjGXKDOtxXUc/JGyU2WJJ6rZyqV3D9DCZ30U+b7UEKhUL4B2m9IvxvSwON/q25
KbuV3Xjj5IsVJz+CmdD+2Edw5sQs/ubb/B8ibGEMZnmQIg2mCKbknOznB8v7nF5/zccKb
B5AUBLoCChdfO8Iy6CuJyW0543NEG8c7t85cDSBSuV3Xjj5IsVJz9Bs624OxjiX4g7oi0d
D8eW38M9z2IRMu03FCIdoR65X6UnYdpjIRfB7JPnOKJQImrNPxZITiU4Bvi1Ucb0
YhjwXX5DNZG/tAMbrcFJQkrP3pADH8tO54xitx40vjJ9SUQT8+6oRTrBvrzeFcMK
tXBPFUJvp7zkHxuV3Xjj5IsVJzFOGgm4zxNs4IO0vTbVEew/yJcYgduvIbXTE3fxIZ
EXK3dZXAuJljrlYhZt4pWLXGN7q7fEHhD8UIYFkJz+dL02yIVMlgLPBb41zdL7uA
A1UdJQQMMAouV3Xjj5IsVJzMCMA0GCSqGSIb3DQEBCwUAA4IBAQBJzR9snUTctaIM
PguY79bw
-----END NEW CERTIFICATE REQUEST-----

[admin@UplogixLM]#

Submit the CSR to your CA so they can generate the certificate.

Install new client certificate

Use the config sys crypto certificate client command to install the new certificate provided to you by your CA.

[admin@UplogixLM]# config sys crypto certificate client
Type 'exit' on a line by itself to exit.
>

At the > prompt, past your certificate. The Local Manager will summarize the certificate.

Certificate:
Subject: CN=VR8Y30PF63, OU=Uplogix-heartbeat, O=Uplogix, L=Austin, ST=TX, C=US
Issuer:  CN=docca, OU=doc, O=Uplogix, L=AUSTIN, ST=TX, C=US
Serial Number: 59:16:82:3e:f6:5c:77:fb
Valid From: 10/23/2021 15:32:00 UTC
Valid To:   10/23/2022 15:32:00 UTC
Fingerprint: oTwLCtmj2Yvsdfz13sKHRNf234abab43q2ulX0+5scnw=

Install new server certificate

Use the config system crypto certificate management command to install the new server certificate.

[admin@UplogixLM]# config system crypto certificate management
** Only one certificate is allowed for a management server.                **
** Entering a new certificate here without updating the management server  **
** first will prevent the system from communicating with the management    **
> ** server.                                                                 **

> Proceed? (y/n) [n]: y
> Type 'exit' on a line by itself to exit.
> [config sys crypto cert management]

Paste in the certificate and type exit. Once exited, the certificate will be summarized.

[config sys crypto cert management]# exit ( it should look exactly like this:

Certificate:
Subject: CN=64.129.60.236, OU=Uplogix-heartbeat, O=Uplogix, L=Austin, ST=TX,C=US
Issuer:  CN=docca, OU=doc, O=Uplogix, L=AUSTIN, ST=TX, C=US
Serial Number: 72:19:c1:aa:8b:42:1e:13
Valid From: 10/23/2021 15:16:00 UTC
Valid To:   10/23/2022 15:16:00 UTC
Fingerprint: u0SJk5732423526437vn435 tby435+vyo+ETI=

Verify heartbeat

If the Local Manager is not yet pointed at the Control Center, use the config system management command to enable it.

[admin@UplogixLM]# config system management
--- Existing  Values ---
Use Management Server: auto
Hostname or IP: (searching)
Port:
Heartbeat interval (seconds): 30
Heartbeat band: all
Always use minimal heartbeat: false
Last successful heartbeat:  (not yet contacted)
Change these? (y/n) [n]: y
--- Enter New Values ---
Use Management Server (y/n/auto) [auto]: y
Hostname or IP [127.0.0.1]: 22.123.60.246
Set NTP location to 62.119.60.136 (y/n) [y]: n
Port [8443]:
Heartbeat interval (seconds) [30]:
Heartbeat during [all]:
Do you want to commit these changes? (y/n): y

Allow 30-60 seconds for the initial heartbeat, and then check the status with the show system management command.

[admin@UplogixLM]# show system management
Use Management Server: yes
Hostname or IP: 22.123.60.246
Port: 8443
Heartbeat interval (seconds): 30
Heartbeat band: all
Always use minimal heartbeat: false
Last successful heartbeat: 10/23/2021 15:39:16 GMT (Full)

Look for successful heartbeat and ensure the timestamp is recent.

Heartbeat certificate update is complete.

Not finding what you're looking for?

The Uplogix Technical Support team is standing by 24/7/365 to answer any questions you may have about the installation, configuration, and usage of our products. Give us a call at 888.663.6869 or email us at support@uplogix.com.

About Uplogix

Uplogix is the most evolved out-of-band solution on the market. Our intelligent console server monitors network devices and takes actions directly over the console port, like an onsite technician plugging in a laptop.

Want to find out how Uplogix can help manage your network? Drop us a note!

Learn more:

Solutions Products Resource Center About Us Schedule a demo

© 2022 Uplogix, Inc., All Rights Reserved.

Contact Uplogix Support
+1 (888) 663-6869
+1 (512) 857-7070
Sales Assistance
General Inquiries