Skip to content

Security Policy

The Lantronix Local Manager can be operated in a secure manner that complies with FIPS 140-2 for customers whose corporate security policy requires it. The latest FIPS Security Policy document is available here.

Enabling FIPS Mode

To enable FIPS mode, the Local Manager must be running the -g version of LMS software. On the Software Downloads page, two files are available for the Local Manager: lms.bin and lms-g.bin. Download and upgrade to the G version before continuing.

[admin@LantronixLM]# config update scp software@fileserver:software/envoy6.0/lms-g.bin
** Issuing this command will restart the system. ** 
Proceed? (y/n): y

You can use the show version command to verify your version.

[super@LantronixLM]# show ver

Model: Lantronix LM83x
Serial number: A123456789
LMS version:
LMS build: 20200221:041342
FIPS 140-2 mode: disabled
Slot 2 serial number: 
Slot 3 serial number: 
Slot 4 serial number: AM1229170029

For LMS version, the number should end in a g.

To enable FIPS mode, use the config system fips enable command. A strong warning will be presented.

[super@LantronixLM]# config system fips enable
** Issuing this command disables services and cryptographic algorithms to **
** comply with FIPS 140-2 rules and the Lantronix security policy.          **
**                                                                        **
** New SSH host keys will be generated.                                   **
**                                                                        **
** This system will not be able to talk to the management server,         **
** unless the management server is also running in FIPS mode.             **
**                                                                        **
** The system will reboot after changing its configuration.               **
**                                                                        **
** This process can only be undone with a factory reset which will result **
** in all data being lost.                                                **
**                                                                        **
** THIS PROCESS IS IRREVERSIBLE.                                          **

Proceed? (y/n) [n]: y
Enter your password to confirm: 

Once you confirm the operation and enter your password, the Local Manager will enable FIPS and reboot.

Verifying system integrity...
Updating configuration...
Clearing heartbeat certificates...
Clearing SSH host keys...
Clearing secure dial-in keys and certificate...
Clearing virtual-port SSH keys...
Clearing SMS key...
Connection to closed by remote host.
Connection to closed.

After the reboot, verify FIPS mode is enabled with the show version command.

[admin@LantronixLM]# show ver
All Rights Reserved. Lantronix and its respective logos are trademarks of Lantronix, Inc. in the United States and other
jurisdictions. This product is protected by U.S Patent 7,512,677 and other patents pending. The programs included herein are
subject to a restricted use license and can only be used in conjunction with this application.

Model: Lantronix LM83x
Serial number: A700000115
LMS version:
LMS build: 20200221:041342
FIPS 140-2 mode: enabled
Slot 2 serial number: 
Slot 3 serial number: 
Slot 4 serial number: AM1229170029

FIPS mode is now enabled.

Updating the Heartbeat Certificate

Lantronix uses a certificate to secure communications between Local Managers and the Control Center. If your security policy requires this be updated from the default, you can do so with the config system crypto command.

Generate a CSR

Use the config system crypto csr command to generate a certificate signing request.

[admin@LantronixLM]# config system crypto csr
Common Name: A61134287X
Organizational unit: 
Organization: Lantronix
City: Columbia
State/Province/Region: Texas
2-letter country code: US
Country code 'US' is United States.
Email address (optional): 
Other Attributes: 
Generate? (y/n): y

Generating new 2048-bit key pair.

Please submit the Certificate request to your CA and then
return to "config sys crypto certificate client" with the newly
generated certificate.



Submit the CSR to your CA so they can generate the certificate.

Install new client certificate

Use the config sys crypto certificate client command to install the new certificate provided to you by your CA.

[admin@LantronixLM]# config sys crypto certificate client
Type 'exit' on a line by itself to exit.

At the > prompt, past your certificate. The Local Manager will summarize the certificate.

Subject: CN=VR8Y30PF63, OU=Lantronix-heartbeat, O=Lantronix, L=Austin, ST=TX, C=US
Issuer:  CN=docca, OU=doc, O=Lantronix, L=AUSTIN, ST=TX, C=US
Serial Number: 59:16:82:3e:f6:5c:77:fb
Valid From: 10/23/2021 15:32:00 UTC
Valid To:   10/23/2022 15:32:00 UTC
Fingerprint: oTwLCtmj2Yvsdfz13sKHRNf234abab43q2ulX0+5scnw=

Install new server certificate

Use the config system crypto certificate management command to install the new server certificate.

[admin@LantronixLM]# config system crypto certificate management
** Only one certificate is allowed for a management server.                **
** Entering a new certificate here without updating the management server  **
** first will prevent the system from communicating with the management    **
> ** server.                                                                 **

> Proceed? (y/n) [n]: y
> Type 'exit' on a line by itself to exit.
> [config sys crypto cert management]

Paste in the certificate and type exit. Once exited, the certificate will be summarized.

[config sys crypto cert management]# exit ( it should look exactly like this:

Subject: CN=, OU=Lantronix-heartbeat, O=Lantronix, L=Austin, ST=TX,C=US
Issuer:  CN=docca, OU=doc, O=Lantronix, L=AUSTIN, ST=TX, C=US
Serial Number: 72:19:c1:aa:8b:42:1e:13
Valid From: 10/23/2021 15:16:00 UTC
Valid To:   10/23/2022 15:16:00 UTC
Fingerprint: u0SJk5732423526437vn435 tby435+vyo+ETI=

Verify heartbeat

If the Local Manager is not yet pointed at the Control Center, use the config system management command to enable it.

[admin@LantronixLM]# config system management
--- Existing  Values ---
Use Management Server: auto
Hostname or IP: (searching)
Heartbeat interval (seconds): 30
Heartbeat band: all
Always use minimal heartbeat: false
Last successful heartbeat:  (not yet contacted)
Change these? (y/n) [n]: y
--- Enter New Values ---
Use Management Server (y/n/auto) [auto]: y
Hostname or IP []:
Set NTP location to (y/n) [y]: n
Port [8443]:
Heartbeat interval (seconds) [30]:
Heartbeat during [all]:
Do you want to commit these changes? (y/n): y

Allow 30-60 seconds for the initial heartbeat, and then check the status with the show system management command.

[admin@LantronixLM]# show system management
Use Management Server: yes
Hostname or IP:
Port: 8443
Heartbeat interval (seconds): 30
Heartbeat band: all
Always use minimal heartbeat: false
Last successful heartbeat: 10/23/2021 15:39:16 GMT (Full)

Look for successful heartbeat and ensure the timestamp is recent.

Heartbeat certificate update is complete.