Check the Secure SD-WAN Engine self-tests
The Secure SD-WAN Engine contains the OpenSSL FIPS, SafeZone FIPS Cryptographic Module, Secure SD-WAN Cryptographic Library, and Secure SD-WAN Cryptographic Kernel Module. The modules run several self-tests when the Secure SD-WAN appliance starts.
The modules perform these tests:
- Cryptographic algorithm known answer tests (KAT)
- Software integrity tests using HMAC or digital signature verification
- Conditional self-tests for CTR-DRBG
- Pair-wise consistency test (PCT) on generated RSA, DSA, and ECDSA keys
- File system integrity check that verifies the ECDSA signature of the whole partition containing all binaries
- Noise source health tests include a Repetition Count Test and a Chi-Squared test to fulfill the role of the Adaptive Proportion Test as specified by NIST SP 800-90B.
| Algorithm | Type |
|---|---|
| Software integrity | HMAC-SHA-256 |
| HMAC | KAT |
| AES | KAT |
| AES CCM | KAT |
| AES GCM | KAT |
| AES XTS | KAT |
| AES CMAC | KAT |
| TDES | KAT |
| TDES CMAC | KAT |
| RSA | KAT, PCT |
| DSA | KAT, PCT |
| ECDSA | KAT, PCT |
| DRBG | KAT, Continuous |
| Diffie-Hellman | KAT |
| EC Diffie-Hellman | KAT |
| SHA1 | KAT |
| SHA2 | KAT |
| SHA3 | KAT |
| KBKDF | KAT |
| PBKDF2 | KAT |
| Algorithm | Algorithm |
|---|---|
| Software Integrity | HMAC-SHA-256 |
| AES | KAT |
| TDES | KAT |
| HMAC | KAT |
| SHA | KAT |
| Algorithm | Algorithm |
|---|---|
| Software integrity | ECDSA signature verification |
| HMAC | KAT |
| AES | KAT |
| AES CCM | KAT |
| AES GCM | KAT |
| AES XTS | KAT |
| AES CMAC | KAT |
| TDES | KAT |
| RSA | KAT, PCT |
| DSA | KAT, PCT |
| ECDSA | KAT, PCT |
| DRBG | KAT, Continuous |
| SHS | KAT |
| SHA-3 | KAT |
| KBKDF | KAT |
Check the self-test results in the console.
- If a cryptographic self-test or a noise source health test fails, an error message is shown on the console and the appliance is restarted automatically. Noise source health tests
are automatically executed as part of the self-tests when OpenSSL and SafeZone are
loaded.
FIPS: OpenSSL self-tests FAILED, rebooting… Cryptographic Kernel Module self tests failed FIPS: Cryptographic module self-tests FAILED, rebooting...FIPS: rootfs integrity check FAILED, rebooting…
Next steps
- If the self-tests succeed, continue configuring the Secure SD-WAN Engine.
- If the problem persists, reset the Secure SD-WAN appliance to factory settings. See section Reset the Secure SD-WAN appliance to factory settings.