Check the SMC Appliance self-tests
The SMC Appliance contains several modules that run self-tests when the SMC Appliance starts.
Known answer tests (KAT) and pairwise consistency tests (PCT) are run for the software cryptographic modules.
Integrity check verifies the ECDSA signature of a catalog file of the SHA-256 hashes of all binaries.
Noise source health tests include a Repetition Count Test and a Chi-Squared test to fulfill the role of the Adaptive Proportion Test as specified by NIST SP 800-90B.
| Algorithm | Type |
|---|---|
| Software integrity | HMAC-SHA-256 |
| AES | KAT |
| CCM | KAT |
| AES-CMAC | KAT |
| FFC KAS | KAT |
| DRBG | KAT, Continuous, Health Checks |
| DSA | KAT, PCT |
| ECDSA | KAT, PCT |
| GCM/GMAC | KAT |
| HMAC | KAT |
| ECC KAS | KAT |
| SP 800-108 KBKDF | KAT |
| RSA | KAT, PCT |
| SHS | KAT |
| TDES | KAT |
| TDES-CMAC | KAT |
| Extendable-Output functions (XOF) | KAT |
| Key Wrapping Using RSA | KAT |
| Key Transport Using RSA | KAT |
| NDRNG | Continuous |
| DH | PCT |
| ECDH/ECCDH | PCT |
| Algorithm | Type |
|---|---|
| Software integrity | HMAC-SHA-256 |
| HMAC | KAT |
| AES | KAT |
| AES CCM | KAT |
| AES GCM | KAT |
| AES XTS | KAT |
| AES CMAC | KAT |
| TDES | KAT |
| TDES CMAC | KAT |
| RSA | KAT, PCT |
| DSA | KAT, PCT |
| ECDSA | KAT, PCT |
| DRBG | KAT, Continuous |
| Diffie-Hellman | KAT |
| EC Diffie-Hellman | KAT |
| SHA1 | KAT |
| SHA2 | KAT |
| SHA3 | KAT |
| KBKDF | KAT |
| PBKDF2 | KAT |
| Algorithm | Type |
|---|---|
| AES | KAT |
| TDES | KAT |
| DSA | KAT |
| ECDSA | KAT |
| RSA | KAT |
| SHS | KAT |
| HMAC | KAT |
| DRBG | KAT |
| Software integrity | DSA signature verification |
Check the self-test results in the console. The self-test messages are also sent to the SMC Appliance syslog.
- If the Bouncy Castle FIPS Java API cryptographic module self-test fails, the server application fails to start, and an error message is shown on the console and the appliance halts
its execution automatically.
fipssmc: ERROR: FIPS SMC Bouncy Castle fipssmc: FIPS System Shutdown - If a power-up self-test fails, an error message is shown on the console and the appliance halts and is not remotely
accessible.
fipstest:Performing FIPS NSS crypto selftests... Fatal FIPS Error: fipstest:ERROR:FIPS NSS crypto selftest failed: /lib/fips/fipstest-ossl: 255fipstest: Performing FIPS OpenSSL crypto selftests… Fatal FIPS Error: fipstest:ERROR:FIPS OpenSSL crypto selftest failed: /lib/fips/fipstest-ossl: 1 - If the file system integrity check fails, an error message is shown on the console and the appliance halts and is not remotely
accessible.
fipscheck: Performing FIPS integrity check… Fatal FIPS Error: fipscheck:ERROR:FIPS integrity check failed. /usr/bin/smca-fipscheck: 255 - If a noise source health test fails, an error message is shown on the console and the appliance halts and is not remotely
accessible.
fipsrngdtest: Performing FIPS rngd self test... Fatal FIPS Error: fipsrngdtest:ERROR:FIPS rngd self test failed: 1
Next steps
- If the self-tests succeed, continue configuring the SMC Appliance.
- If a self-test fails, restart the SMC Appliance manually. It does not restart automatically.
- If a self-test continues to fail, reset the SMC Appliance to factory settings. See section Reset the SMC Appliance to factory settings.