AVAYA DOCUMENTATION CENTER
Find answers to your technical questions and learn how to use our products
No results found
Search suggestions:
- Use fewer tags and filters.
- Use different search terms.
Filters
AVAYA DOCUMENTATION CENTER
Find answers to your technical questions and learn how to use our products
No results found
Search suggestions:
- Use fewer tags and filters.
- Use different search terms.
Filters
Installing and Administering Avaya J100 Series SIP IP Phones in Avaya Aura®
FIPS mode
Last Updated : Jan 14, 2025 |
The Federal Information Processing Standard, FIPS 140-3, is a computer security standard for cryptographic modules used by the U.S. government. FIPS 140-3 specifies the security requirement that a cryptographic module meets to protect the classified or sensitive data. The phone includes a FIPS 140-3 compliant cryptographic module that you can optionally enable. The phone blocks the non-compliant cryptographic algorithms when you enable this mode.
Use the FIPS_ENABLED parameter to controls the usage of FIPS 140-3 cryptographic algorithms. You can configure the parameter through the46xxsettings.txt, the DHCP SSON option, or AADS.
When you enable the FIPS mode for the first time, the phone displays the message FIPS mode activated, restarting.... After reboot, FIPS mode is active on every phone boot.
Enabling FIPS mode does not remove previous identity certificates installed using non-FIPS compliant methods. Before enabling FIPS mode, delete any previously installed identity certificates. For information about, see Parameters for deleting multiple identity certificates.
With FIPS mode enabled, the phone boots and performs a FIPS self-test. After the test completes successfully, If the FIPS mode self-test fails, the phone displays the message FIPS self-test failure and the phone displays the options Admin and Reboot. Select the option Admin and enter the Admin menu password, for the phone to boot up in the non-FIPS mode.
When you enable FIPS mode, the phone reports the overall FIPS operating mode under Menu > Administration > View > FIPS OP mode as the following:
Compliant: When the enabled features are operating in the FIPS-compliant mode.
Not compliant: When some configured features are not operating in the FIPS-compliant mode.
Note:
You can view the FIPS exceptions on the phone for a list of configured features that causes the phone to be not compliant under Menu > Administration > View > FIPS exceptions.
The table below describes the services that get added to the FIPS exceptions list by default, the operating conditions when added, and the configuration to remove the service from the exceptions list.
Feature |
Condition to add |
Configuration to remove |
|---|---|---|
SSH |
Always, when enabled |
Set SSH_ALLOWED to 0 |
WiFi |
Always, when enabled and WiFi chip is present |
Set WIFISTAT to 0 or Remove WiFi chip |
SLA Monitor |
Always, when enabled |
Set SLMSTAT to 0 |
EAP-MD5 |
When EAP MD5 is enabled |
Set DOT1XEAPS to TLS or Set DOT1XSTAT to 0 |
EAP-PEAP |
When EAP PEAP is enabled |
Set DOT1XEAPS to TLS or Set DOT1XSTAT to 0 |
EAP-TTLS |
When EAP TTLS is enabled |
Set DOT1XEAPS to TLS or Set DOT1XSTAT to 0 |
WML |
WML Browser, when WMLPROXY value is defined with http transport or if WMLPROXY is not defined and:
|
WMLPROXY use https transport or define "" to disable this feature WMLIDLEURL use https transport or define "" to disable this feature WMLHOME use https transport or define "" to disable this feature |
PUSH |
Push Notification, when TPSLIST is defined with http transport. |
TPSLIST use https transport or define "" to disable this feature |
RSYSLOG |
Remote Syslog, when not configured secure |
Set LOGSRVR_SECURE to 1 or Set SYSLOG_ENABLED to 0 |
RTP/RTCP |
When not using SRTP |
MEDIAENCRYPTION value does not include 9 |
HTTP |
HTTPSRVR is defined or BRURI is defined using http transport |
Set AUTH to 1 or HTTPSRVR "" (instead use TLSSRVR) BRURI use https transport or define "" to disable this feature |
HTTP_PPM |
In Aura mode only, when CONFIG_SERVER_SECURE_MODE is 0 |
Set CONFIG_SERVER_SECURE_MODE to 1 |
LDAP |
When enabled and uses http or DIRAUTHTYPE = 1 (SASL) |
Set DIRSECURE to 1 and DIRAUTHTYPE = 0 or Set DIRENABLED_PLATFORM to 0 |
WEBSvr |
Always, when enabled |
Set ENABLE_WEBSERVER to 0 |
SIP |
When not using SIP-TLS |
SIP_CONTROLLER_LIST must only include transport=tls |
SCEP |
When SCEP encryption algorithm is DES or URL is defined with http |
Set SCEPENCALG to 1 and URL is defined with https Set SCEPENCALG_2 to 1 and URL is defined with https Set SCEPENCALG_3 to 1 and URL is defined with https or Set MYCERTURL to "" Set MYCERTURL_2 to "" Set MYCERTURL_3 to "" |
PKCS12 |
When PKCS12URL is defined with http transport |
PKCS12URL is defined with https PKCS12URL_2 is defined with https PKCS12URL_3 is defined with https or Set PKCS12URL to "" Set PKCS12URL_2 to "" Set PKCS12URL_3 to "" |
HELD |
When URL is defined with http transport |
HELD_URL use https transport or define "" to disable this feature |
AADS |
When URL is defined with http transport |
AADS_URL use https transport or define "" to disable this feature |
BRDSFT |
When URL is defined with http transport |
XSI_URL use https transport or define "" to disable this feature |
REST |
When URL is defined with http transport |
REST_URL use https transport or define "" to disable this feature |
EXCHANGE |
When http is used |
Set EXCHANGE_SERVER_SECURE_MODE to 1 |
Note:
You can enable users to browse the WML content securely over HTTPS when enabling the FIPS mode on the phone.
You can disable or use secure methods to configure the following features to be FIPS operating mode (OP) mode compliant:
Feature |
Parameter |
|---|---|
Provisioning server must use HTTPS |
Set TLSSRVR |
PPM Config Server must use HTTPS |
Set CONFIG_SERVER_SECURE_MODE to 1 |
802.1x must use EAP-TLS |
Set DOT1XEAPS to TLS |
SCEP must use AES-256 |
Set SCEPENCALG to 1 |
PKCS12 must use HTTPS |
Set PKCS12URL |
OCSP must use HTTPS |
Set OCSP_URI |
LDAP must use TLS |
Set DIRSECURE to 2 |
Syslog must use TLS |
Set LOGSRVR_SECURE to 1 |
Push must use TLS |
Set PUSH_MODE to 1 |
BRURI must use HTTPS |
Set BRURI |
User store must use HTTPS |
Set USER_STORE_URI |
Microsoft Exchange must use HTTPS |
Set EXCHANGE_SERVER_SECURE_MODE to 1 |
WML Browser |
Set WMLIDLEURI to Null or HTTPS Set WMLHOME to Null or HTTPS Set WMLPROXY to Null or HTTPS |
When you enable FIPS mode, the phone does not use the SCEP feature and SCEPENCALG is set to 0. The phone force disables the SCEP feature.
If the phone installs an identity certificate before FIPS_ENABLED is set to 1, the phone continues to use this identity certificate. Avaya recommends to delete any previously installed identity certificates and install identity certificates through PKCS#12 file after the phone is set to FIPS_ENABLED 1. Thereafter, FIPS 140-3 approved cryptographic algorithms used to decrypt PKCS#12 file.