How to Switch to the FIPS 140-Capable OpenSSL Implementation

Language:

By default, the non FIPS 140-capable OpenSSL implementation is active in Oracle Solaris. However, you can choose the security for your system and select implementation that you want.

Become an administrator.

Ensure that both implementations are on the system.

$ pkg mediator -a openssl

Caution - The OpenSSL implementation to which you are switching must exist in the system. Otherwise, if you switch to an implementation that is not in the system, the system might become unusable.

Switch to a different OpenSSL implementation.
```
# pkg set-mediator [--be-name name] -I implementation openssl
```
where implementation is either default or fips-140 and name is a name for a new clone of the current boot environment. The clone will have the specified implementation active.

Note - When --be-name is specified, the command creates a backup of the current boot environment. When you reboot, the system will run the new, cloned boot environment with the new implementation.

For more information about the pkg set-mediator command, see Changing the Preferred Application in Adding and Updating Software in Oracle Solaris 11.2 .
Reboot the system.
(Optional) Verify that the switch was successful and that your preferred OpenSSL implementation is active.
```
# pkg mediator openssl
```

Example 1-1 Switching to the FIPS 140-Capable OpenSSL Implementation

This example changes a system's OpenSSL implementation to be FIPS 140 capable.

# pkg mediator -a openssl
MEDIATOR   VER. SRC.   VERSION IMPL.   SRC. IMPLEMENTATION
openssl       vendor           vendor               default
openssl       system          system              fips-140

# pkg set-mediator --be-name BE2 -I fips-140 openssl
# reboot

# pkg mediator openssl
MEDIATOR   VER. SRC.   VERSION IMPL.   SRC. IMPLEMENTATION
openssl      vendor           vendor              default