Algo Secure Firmware Guide for JITC-Certified Devices

  • Published on Feb 17, 2026
  • 5 minute(s) read
Prev Next

Overview

Select Algo products have achieved JITC (Joint Interoperability Test Command) certification, demonstrating that they meet stringent interoperability and cybersecurity requirements. These products are trusted for deployment in high-security network environments, including U.S. federal government agencies.

Note

A JITC-certified device has been evaluated and authorized for use on Department of Defense (DoD) networks under defined conditions. It is assessed against DoD risk management standards and shown to operate without introducing unacceptable risk.

JITC certification does not guarantee that a device is fully secure. Devices must still be configured in accordance with applicable Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs).

Device Use Notification

When you log in to a JITC-certified device, a U.S. government security warning is displayed.

You must acknowledge this warning before you can access the device’s web interface.

This is a legal requirement to confirm that you have seen the notice and accepted the conditions for access.

Feature Enhancements

JITC-certified devices include feature enhancements and API changes to ensure compliance with Department of Defense (DoD) security requirements.

Note

Only firmware files with a -sec suffix can be used to upgrade JITC-certified devices. Firmware upgrades using non--sec files will fail.

The following security enhancements are implemented in JITC-certified versions.

Logging in Using SSO

You are recommended to enable SSO (Single Sign-On) for stronger security and centralized user management.

Note

It is recommended to always using SSO to sign in to a JITC-certified device. Username and password authentication should be used only as a backup login option.

To enable SSO:

  1. Log in to your device’s web interface.

  2. Go to Advanced SettingsAdmin General and set the following:

    • Device Name (Hostname): Enter a unique device name.

    • Domain Name: Enter your network domain name.

  3. Reboot your device to apply the changes.

  4. In your DNS server: Set up a DNS record to allow contacting the device using its hostname.

  5. Go to Advanced SettingsAdmin Single Sign-On and select Download.

    This downloads the device’s SP(service provider) metadata file.

  6. In your IdP(Identity Provider) server:

    1. Upload SP metadata file.

    2. Set the sign-on URL using the format:

      https://[hostname].domain/Shibboleth.sso/Login

    3. Download the IdP metadata file.

  7. Go to Advanced SettingsAdmin Single Sign-On and select Choose File to select the IdP metadata file, then select Upload.

  8. Go to Advanced SettingsAdmin Admin Password and change the default password.

    • Enter the Old Password

    • Enter the New Password

    • Confirm the New Password.

      Your new password must be at least 15 characters long and include at least one uppercase and one lowercase letter.

  9. Reboot your device to apply the changes.

  10. Go to Advanced SettingsAdmin Single Sign-On and select Enable.

    Now you can log in to your device using SSO.

Enhanced Login Security

An enhanced login mechanism is enforced. Passwords must meet the following requirements:

  • Minimum length: 15 characters

  • Uppercase letter: At least one

  • Lowercase letter: At least one

  • Password reuse restriction: A new password must differ from the previous password by at least 8 characters

After three invalid login attempts, the user is locked out for 15 minutes.

Changed the Crypto Algorithm from MD5 to SHA-256

For FIPS 140-2 compliance, the device uses approved cryptographic algorithms implemented within a cryptographic module that has been tested and certified by an accredited lab.

As a result, the hash algorithm used for API requests has changed from MD5 to SHA-256.

If the Authentication Method is set to Standard, you must generate a valid HMAC signature using the configured RESTful API Password and the HMAC input string, with SHA-256 as the digest algorithm.

The HMAC input string must be formatted as follows:

 [request_method]:[request_uri]:[content_sha256]:[content_type]:[timestamp]:[nonce].

Secure Protocols

HTTP/2 and HTTPS are used to enforce traffic encryption and the use of modern cipher suites.

NTP Authentication

NTP authentication is supported to ensure device time is obtained from a trusted source.

A new Web UI option is available under Advanced Settings → Time.

To use NTP authentication:

  1. Go to System File Manager.

  2. Right-click the Files folder and select Create Folder.

  3. Rename the folder as ntp.

  4. Upload a symmetric key file named ntp.keys to the folder ntp.

  5. Go to Advanced SettingsTime.

  6. Set NTP Symmetric Key Authentication as Enabled.

  7. Select Save.

Backing up Configuration Files Automatically

You can enable Backup Config Files to automatically back up system configuration files when either of the following occurs:

  • System settings are changed.

  • User files are uploaded, deleted, or modified.

To enable automatic configuration file backup:

  1. Go to Advanced SettingsAdmin Configuration Backup.

  2. Set Backup Config Files as Enabled.

  3. Select Save.

    When you change the device configurations, a configuration backup is automatically saved to System → File ManagerBackups.

    Backup files use the following naming format: user-[YYYYMMDDXXXXXX]conf.

Limiting the Maximum Number of Simultaneous Web Requests

You can limit the number of concurrent web requests made through the web interface or the API.

To set the maximum number of simultaneous requests:

  1. Go to Advanced SettingsNetworkWeb Server.

  2. Set a value for Maximum Simultaneous Requests.

  3. Select Save.

IP Address Allow List for Accessing the Web Interface

You can use the Allow Access from Secure Zones setting to restrict web interface access to trusted IP addresses only.

To create an allow list of IP addresses for accessing the web interface:

  1. Go to Advanced SettingsNetworkWeb Server.

  2. Enter the IP addresses in Allow Access from Secure Zones.

    Use commas to delimit multiple addresses.

  3. Select Save.

Disabled SNMP and RESTful API Support on 8300

SNMP (Simple Network Management Protocol) and RESTful APIs cannot be used to modify configurations on monitored devices.

To modify device configurations, you must log in to the device’s web interface using SSO.

Printing Access and Error Logs to Syslog

You can allow the web server to send access and error logs to the system logging service for centralized logging and monitoring.

To enable printing access and error logs to syslog:

  1. Go to Advanced SettingsAdminLog Settings.

  2. Set Log Web Server Events as Enabled.

    Access and error logs will be included in the logs downloaded from System → System Log.

API Changes

You cannot use PUT API requests to modify device settings, add new files, or replace existing files.

The following PUT API requests are disabled:

  • PUT /api/settings: Set the value of a specific parameter

  • PUT /api/files/{filepath}/{filename}: Add a new file or replace an existing one

FAQ

How can I find the full list of Algo Devices that have passed the JITC Certificate?

  1. Go to DoDIN APL (Department of Defense Information Network Approved Products List.

  2. Select Algo Communication Products Ltd as the vendor, then select Search APL.

  3. At the bottom of the page, select APL Memo to download it.

  4. Open the downloaded APL Memo and search for “IO certification letter” to locate the link.

  5. Select the link to open the IO certification letter.

  6. In the letter, search for “SUT Hardware/Software/Firmware Version Identification” to find the complete list of Algo devices that have passed JITC certification.

How do I know whether my device is a JITC-certified version?

When you log in to the device web interface, the product name has “-SEC” suffix, for example, Algo 8180-SEC.

You must accept the U.S. GOVERNMENT NOTICE AND CONSENT before you can proceed.