Security Policy¶
The Lantronix Local Manager can be operated in a secure manner that complies with FIPS 140-2 for customers whose corporate security policy requires it. The latest FIPS Security Policy document is available here.
Enabling FIPS Mode¶
To enable FIPS mode, the Local Manager must be running the -g version of LMS software. On the Software Downloads page, two files are available for the Local Manager: lms.bin and lms-g.bin. Download and upgrade to the G version before continuing.
[admin@LantronixLM]# config update scp software@fileserver:software/envoy6.0/lms-g.bin
** Issuing this command will restart the system. **
Proceed? (y/n): y
You can use the show version command to verify your version.
[super@LantronixLM]# show ver
Model: Lantronix LM83x
Serial number: A123456789
LMS version: 6.0.0.35619g
LMS build: 20200221:041342
FIPS 140-2 mode: disabled
Slot 2 serial number:
Slot 3 serial number:
Slot 4 serial number: AM1229170029
For LMS version, the number should end in a g.
To enable FIPS mode, use the config system fips enable command. A strong warning will be presented.
[super@LantronixLM]# config system fips enable
** Issuing this command disables services and cryptographic algorithms to **
** comply with FIPS 140-2 rules and the Lantronix security policy. **
** **
** New SSH host keys will be generated. **
** **
** This system will not be able to talk to the management server, **
** unless the management server is also running in FIPS mode. **
** **
** The system will reboot after changing its configuration. **
** **
** This process can only be undone with a factory reset which will result **
** in all data being lost. **
** **
** THIS PROCESS IS IRREVERSIBLE. **
Proceed? (y/n) [n]: y
Enter your password to confirm:
Once you confirm the operation and enter your password, the Local Manager will enable FIPS and reboot.
Verifying system integrity...
...................................
Updating configuration...
Clearing heartbeat certificates...
Clearing SSH host keys...
Clearing secure dial-in keys and certificate...
Clearing virtual-port SSH keys...
Clearing SMS key...
Restarting...
Connection to 198.51.100.26 closed by remote host.
Connection to 198.51.100.26 closed.
After the reboot, verify FIPS mode is enabled with the show version command.
[admin@LantronixLM]# show ver
All Rights Reserved. Lantronix and its respective logos are trademarks of Lantronix, Inc. in the United States and other
jurisdictions. This product is protected by U.S Patent 7,512,677 and other patents pending. The programs included herein are
subject to a restricted use license and can only be used in conjunction with this application.
Model: Lantronix LM83x
Serial number: A700000115
LMS version: 6.0.0.35619
LMS build: 20200221:041342
FIPS 140-2 mode: enabled
Slot 2 serial number:
Slot 3 serial number:
Slot 4 serial number: AM1229170029
FIPS mode is now enabled.
Updating the Heartbeat Certificate¶
Lantronix uses a certificate to secure communications between Local Managers and the Control Center. If your security policy requires this be updated from the default, you can do so with the config system crypto command.
Generate a CSR¶
Use the config system crypto csr command to generate a certificate signing request.
[admin@LantronixLM]# config system crypto csr
Common Name: A61134287X
Organizational unit:
Organization: Lantronix
City: Columbia
State/Province/Region: Texas
2-letter country code: US
Country code 'US' is United States.
Email address (optional):
Other Attributes:
Generate? (y/n): y
Generating new 2048-bit key pair.
Please submit the Certificate request to your CA and then
return to "config sys crypto certificate client" with the newly
generated certificate.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC0jCCAboCAQAwWjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1hcnlsYW5kMREw
OTEwMDEzNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBd/AOqdPN3
YJqeslEvn0wowZhGn3Bkj6A6mZm7/62fcMKiBWnNEkXYIJbQInIk3eEBiCxV3pud
b5QIkiOBom84ub2bQ70iNpuV3Xjj5IsVJzC3QVOE8JpuV3Xjj5IsVJzUhtWckSI1YxBsz
HzzjGXKDOtxXUc/JGyU2WJJ6rZyqV3D9DCZ30U+b7UEKhUL4B2m9IvxvSwON/q25
KbuV3Xjj5IsVJz+CmdD+2Edw5sQs/ubb/B8ibGEMZnmQIg2mCKbknOznB8v7nF5/zccKb
B5AUBLoCChdfO8Iy6CuJyW0543NEG8c7t85cDSBSuV3Xjj5IsVJz9Bs624OxjiX4g7oi0d
D8eW38M9z2IRMu03FCIdoR65X6UnYdpjIRfB7JPnOKJQImrNPxZITiU4Bvi1Ucb0
YhjwXX5DNZG/tAMbrcFJQkrP3pADH8tO54xitx40vjJ9SUQT8+6oRTrBvrzeFcMK
tXBPFUJvp7zkHxuV3Xjj5IsVJzFOGgm4zxNs4IO0vTbVEew/yJcYgduvIbXTE3fxIZ
EXK3dZXAuJljrlYhZt4pWLXGN7q7fEHhD8UIYFkJz+dL02yIVMlgLPBb41zdL7uA
A1UdJQQMMAouV3Xjj5IsVJzMCMA0GCSqGSIb3DQEBCwUAA4IBAQBJzR9snUTctaIM
PguY79bw
-----END NEW CERTIFICATE REQUEST-----
[admin@LantronixLM]#
Submit the CSR to your CA so they can generate the certificate.
Install new client certificate¶
Use the config sys crypto certificate client command to install the new certificate provided to you by your CA.
[admin@LantronixLM]# config sys crypto certificate client
Type 'exit' on a line by itself to exit.
>
At the > prompt, past your certificate. The Local Manager will summarize the certificate.
Certificate:
Subject: CN=VR8Y30PF63, OU=Lantronix-heartbeat, O=Lantronix, L=Austin, ST=TX, C=US
Issuer: CN=docca, OU=doc, O=Lantronix, L=AUSTIN, ST=TX, C=US
Serial Number: 59:16:82:3e:f6:5c:77:fb
Valid From: 10/23/2021 15:32:00 UTC
Valid To: 10/23/2022 15:32:00 UTC
Fingerprint: oTwLCtmj2Yvsdfz13sKHRNf234abab43q2ulX0+5scnw=
Install new server certificate¶
Use the config system crypto certificate management command to install the new server certificate.
[admin@LantronixLM]# config system crypto certificate management
** Only one certificate is allowed for a management server. **
** Entering a new certificate here without updating the management server **
** first will prevent the system from communicating with the management **
> ** server. **
> Proceed? (y/n) [n]: y
> Type 'exit' on a line by itself to exit.
> [config sys crypto cert management]
Paste in the certificate and type exit. Once exited, the certificate will be summarized.
[config sys crypto cert management]# exit ( it should look exactly like this:
Certificate:
Subject: CN=64.129.60.236, OU=Lantronix-heartbeat, O=Lantronix, L=Austin, ST=TX,C=US
Issuer: CN=docca, OU=doc, O=Lantronix, L=AUSTIN, ST=TX, C=US
Serial Number: 72:19:c1:aa:8b:42:1e:13
Valid From: 10/23/2021 15:16:00 UTC
Valid To: 10/23/2022 15:16:00 UTC
Fingerprint: u0SJk5732423526437vn435 tby435+vyo+ETI=
Verify heartbeat¶
If the Local Manager is not yet pointed at the Control Center, use the config system management command to enable it.
[admin@LantronixLM]# config system management
--- Existing Values ---
Use Management Server: auto
Hostname or IP: (searching)
Port:
Heartbeat interval (seconds): 30
Heartbeat band: all
Always use minimal heartbeat: false
Last successful heartbeat: (not yet contacted)
Change these? (y/n) [n]: y
--- Enter New Values ---
Use Management Server (y/n/auto) [auto]: y
Hostname or IP [127.0.0.1]: 22.123.60.246
Set NTP location to 62.119.60.136 (y/n) [y]: n
Port [8443]:
Heartbeat interval (seconds) [30]:
Heartbeat during [all]:
Do you want to commit these changes? (y/n): y
Allow 30-60 seconds for the initial heartbeat, and then check the status with the show system management command.
[admin@LantronixLM]# show system management
Use Management Server: yes
Hostname or IP: 22.123.60.246
Port: 8443
Heartbeat interval (seconds): 30
Heartbeat band: all
Always use minimal heartbeat: false
Last successful heartbeat: 10/23/2021 15:39:16 GMT (Full)
Look for successful heartbeat and ensure the timestamp is recent.
Heartbeat certificate update is complete.