---
title: "Algo Secure Firmware Guide for JITC-Certified Devices"
slug: "security-guide"
updated: 2026-02-17T19:41:41Z
published: 2026-02-17T19:41:41Z
canonical: "docs.algosolutions.com/security-guide"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.algosolutions.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Algo Secure Firmware Guide for JITC-Certified Devices

## **Overview**

Select Algo products have achieved JITC (Joint Interoperability Test Command) certification, demonstrating that they meet stringent interoperability and cybersecurity requirements. These products are trusted for deployment in high-security network environments, including U.S. federal government agencies.

> [!NOTE]
> Note
> 
> A JITC-certified device has been evaluated and authorized for use on Department of Defense (DoD) networks under defined conditions. It is assessed against DoD risk management standards and shown to operate without introducing unacceptable risk.
> 
> JITC certification does not guarantee that a device is fully secure. Devices must still be configured in accordance with applicable Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs).

#### Device Use Notification

When you log in to a JITC-certified device, a U.S. government security warning is displayed.

You must acknowledge this warning before you can access the device’s web interface.

![](https://cdn.document360.io/f6f5e62d-d280-487f-9da7-5926ffd53b5f/Images/Documentation/image(699).png)

This is a legal requirement to confirm that you have seen the notice and accepted the conditions for access.

## Feature Enhancements

JITC-certified devices include feature enhancements and API changes to ensure compliance with Department of Defense (DoD) security requirements.

> [!NOTE]
> Note
> 
> Only firmware files with a **-sec** suffix can be used to upgrade JITC-certified devices. Firmware upgrades using non-**-sec** files will fail.

The following security enhancements are implemented in JITC-certified versions.

- [Logging in Using SSO](/v1/docs/security-guide#logging-in-using-sso)
- [Enhanced Login Security](/v1/docs/security-guide#enhanced-login-security)
- [Changed the Crypto Algorithm from MD5 to SHA-256](/v1/docs/security-guide#changing-the-crypto-algorithm-from-md5-to-sha256)
- [Secure Protocols](/v1/docs/security-guide#secure-protocols)
- [NTP Authentication](/v1/docs/security-guide#ntp-authentication)
- [Backing up Configuration Files Automatically](/v1/docs/security-guide#backing-up-configuration-files-in-case-of-system-settings-changes)
- [Limiting the Maximum Number of Simultaneous Web Requests](/v1/docs/security-guide#limiting-the-maximum-number-of-simultaneous-web-requests-to-your-device)
- [IP Address Allow List for Accessing the Web Interface](/v1/docs/security-guide#ip-addresses-whitelist-for-accessing-the-web-interface)
- [Disabled SNMP and RESTful API Support on 8300](/v1/docs/security-guide#disabled-snmp-and-restful-api-support-on-8300)
- [Printing Access and Error Logs to Syslog](/v1/docs/security-guide#printing-nginx-logs-to-syslog)

#### Logging in Using SSO

You are recommended to enable SSO (Single Sign-On) for stronger security and centralized user management.

> [!NOTE]
> Note
> 
> It is recommended to always using SSO to sign in to a JITC-certified device. Username and password authentication should be used only as a backup login option.

![](https://cdn.document360.io/f6f5e62d-d280-487f-9da7-5926ffd53b5f/Images/Documentation/image(708).png)

**To enable SSO:**

1. Log in to your device’s web interface.
2. Go to **Advanced Settings** → **Admin**→ **General** and set the following:
  - **Device Name (Hostname)**: Enter a unique device name.
  - **Domain Name**: Enter your network domain name.
3. Reboot your device to apply the changes.
4. **In your DNS serve**r: Set up a DNS record to allow contacting the device using its hostname.
5. Go to **Advanced Settings** → **Admin**→ **Single Sign-On** and select **Download.**

![](https://cdn.document360.io/f6f5e62d-d280-487f-9da7-5926ffd53b5f/Images/Documentation/image(705).png)

This downloads the device’s SP(service provider) metadata file.
6. **In your IdP(Identity Provider) server**:
  1. Upload SP metadata file.
  2. Set the sign-on URL using the format:

`https://[hostname].domain/Shibboleth.sso/Login`
  3. Download the IdP metadata file.
7. Go to **Advanced Settings** → **Admin**→ **Single Sign-On** and select **Choose File** to select the IdP metadata file, then select **Upload**.
8. Go to **Advanced Settings** → **Admin**→**Admin Password** and change the default password.
  - Enter the **Old Password**
  - Enter the **New Password**
  - Confirm the **New Password**.

Your new password must be at least 15 characters long and include at least one uppercase and one lowercase letter.
9. Reboot your device to apply the changes.
10. Go to **Advanced Settings** → **Admin**→ **Single Sign-On** and select **Enable**.

Now you can log in to your device using SSO.

#### Enhanced Login Security

An enhanced login mechanism is enforced. Passwords must meet the following requirements:

- **Minimum length:** 15 characters
- **Uppercase letter:** At least one
- **Lowercase letter:** At least one
- **Password reuse restriction:** A new password must differ from the previous password by at least 8 characters

After three invalid login attempts, the user is locked out for 15 minutes.

#### Changed the Crypto Algorithm from MD5 to SHA-256

For FIPS 140-2 compliance, the device uses approved cryptographic algorithms implemented within a cryptographic module that has been tested and certified by an accredited lab.

As a result, the hash algorithm used for API requests has changed from MD5 to SHA-256.

If the **Authentication Method** is set to **Standard**, you must generate a valid HMAC signature using the configured **RESTful API Password** and the HMAC input string, with **SHA-256** as the digest algorithm.

The HMAC input string must be formatted as follows:

`[request_method]:[request_uri]:[content_sha256]:[content_type]:[timestamp]:[nonce]`.

#### 

#### **Secure Protocols**

HTTP/2 and HTTPS are used to enforce traffic encryption and the use of modern cipher suites.

#### NTP Authentication

NTP authentication is supported to ensure device time is obtained from a trusted source.

A new Web UI option is available under **Advanced Settings → Time**.

**To use NTP authentication:**

1. Go to **System**→ **File Manager**.
2. Right-click the **Files**folder and select **Create Folder**.

![](https://cdn.document360.io/f6f5e62d-d280-487f-9da7-5926ffd53b5f/Images/Documentation/Screenshot 2026-02-09 154408 (1).png)
3. Rename the folder as **ntp**.
4. Upload a symmetric key file named *ntp.keys* to the folder **ntp**.
5. Go to **Advanced Settings** → **Time**.
6. Set **NTP Symmetric Key Authentication** as **Enabled**.
7. Select **Save**.

#### Backing up Configuration Files Automatically

You can enable **Backup Config Files** to automatically back up system configuration files when either of the following occurs:

- System settings are changed.
- User files are uploaded, deleted, or modified.

![](https://cdn.document360.io/f6f5e62d-d280-487f-9da7-5926ffd53b5f/Images/Documentation/image(702).png)

**To enable automatic configuration file backup:**

1. Go to **Advanced Settings** → **Admin** →**Configuration Backup**.
2. Set **Backup Config Files** as **Enabled**.
3. Select **Save**.

When you change the device configurations, a configuration backup is automatically saved to System → **File Manager** → **Backups**.

Backup files use the following naming format: *user-[YYYYMMDDXXXXXX]conf*.

![](https://cdn.document360.io/f6f5e62d-d280-487f-9da7-5926ffd53b5f/Images/Documentation/image(706).png)

#### Limiting the Maximum Number of Simultaneous Web Requests

You can limit the number of concurrent web requests made through the web interface or the API.

![](https://cdn.document360.io/f6f5e62d-d280-487f-9da7-5926ffd53b5f/Images/Documentation/image(703) (1) (2).png)

**To set the maximum number of simultaneous requests:**

1. Go to **Advanced Settings** → **Network** → **Web Server**.
2. Set a value for **Maximum Simultaneous Requests**.
3. Select **Save**.

#### IP Address Allow List for Accessing the Web Interface

You can use the **Allow Access from Secure Zones** setting to restrict web interface access to trusted IP addresses only.

![](https://cdn.document360.io/f6f5e62d-d280-487f-9da7-5926ffd53b5f/Images/Documentation/image(703) (1) (1).png)

**To create an allow list of IP addresses for accessing the web interface:**

1. Go to **Advanced Settings** → **Network** → **Web Server**.
2. Enter the IP addresses in **Allow Access from Secure Zones**.

Use commas to delimit multiple addresses.
3. Select **Save**.

#### Disabled SNMP and RESTful API Support on 8300

SNMP (Simple Network Management Protocol) and RESTful APIs cannot be used to modify configurations on monitored devices.

To modify device configurations, you must log in to the device’s web interface using SSO.

#### Printing Access and Error Logs to Syslog

You can allow the web server to send access and error logs to the system logging service for centralized logging and monitoring.

![](https://cdn.document360.io/f6f5e62d-d280-487f-9da7-5926ffd53b5f/Images/Documentation/image(701).png)

#### To enable printing access and error logs to syslog:

1. Go to **Advanced Settings** → **Admin** → **Log Settings**.
2. Set **Log Web Server Events** as **Enabled**.

Access and error logs will be included in the logs downloaded from **System → System Log**.

## API Changes

You cannot use PUT API requests to modify device settings, add new files, or replace existing files.

The following PUT API requests are disabled:

- PUT /api/settings: Set the value of a specific parameter
- PUT /api/files/{filepath}/{filename}: Add a new file or replace an existing one

---

### FAQ

#### How can I find the full list of Algo Devices that have passed the JITC Certificate?

1. Go to [DoDIN APL (Department of Defense Information Network Approved Products List.](https://aplits.disa.mil/processAPList.action.)
2. Select **Algo Communication Products Ltd** as the vendor, then select **Search APL**.

![](https://cdn.document360.io/f6f5e62d-d280-487f-9da7-5926ffd53b5f/Images/Documentation/Screenshot 2026-02-06 094029 (3).png)
3. At the bottom of the page, select **APL Memo** to download it.

![](https://cdn.document360.io/f6f5e62d-d280-487f-9da7-5926ffd53b5f/Images/Documentation/Screenshot 2026-02-06 100647 (1).png)
4. Open the downloaded **APL Memo** and search for **“IO certification letter”** to locate the link.

![](https://cdn.document360.io/f6f5e62d-d280-487f-9da7-5926ffd53b5f/Images/Documentation/Screenshot 2026-02-06 102041 (1).png)
5. Select the link to open the IO certification letter.
6. In the letter, search for **“SUT Hardware/Software/Firmware Version Identification”** to find the complete list of Algo devices that have passed JITC certification.

#### **How do I know whether my device is a JITC-certified version?**

When you log in to the device web interface, the product name has “-SEC” suffix, for example, Algo 8180-SEC.

You must accept the U.S. GOVERNMENT NOTICE AND CONSENT before you can proceed.