Security Management (FIPS Mode)

Key Management

Key Management

A DSA private hosts key is required for SSH2 connection to the Broadmore.

Default DSA Key

During manufacture, a default host_dsa key file is placed in the /SSHD directory of the Broadmore CPU. This default key is intended only for use in initializing the Broadmore after installation at the customer site and should be changed by the SuperUser (Crypto Officer) before making the Broadmore operational.

NOTE: The DSA hosts key can only be replaced by the SuperUser while the Broadmore is in the FIPS mode.

Generating DSA Key Pairs

DSA keys can be generated on a UNIX or Windows host, using key generation utilities provided as a part of the ssh clients/server software of various vendors.

OpenSSH provides ssh-keygen to generate DSA keys on a UNIX or Windows host. The ssh-keygen program can be downloaded from the URL http://www.openssh.org.

The following example shows how to generate the host_dsa key on a UNIX host or on a Windows PC running Cygwin.

$ ssh-keygen -t dsa -f host_dsa -N "" -C <comments>

Installing the DSA Key

With the Broadmore in FIPS mode, the SuperUser can use an SSH2 client (such as SecureFX) to log into the Broadmore/SSHield module and install the host_dsa key in the /SSHD directory on the Broadmore CPU.

NOTE: After installing the DSA key, the Broadmore must be rebooted in order for the change to take effect.

11-8

Broadmore 1750 - Release 4.6

Page 273 Page 275
Page 274
Image 274
Carrier Access 1750 user manual Key Management, Default DSA Key, Generating DSA Key Pairs, Installing the DSA Key
Page 273 Page 275
Top Page Image Contents