|Oracle® Database Security Guide
12c Release 1 (12.1)
|PDF · Mobi · ePub|
This appendix contains:
The cryptographic libraries for SSL included in Oracle Database are designed to meet FIPS 140-2 Level 2 certification. Oracle Database uses these cryptographic libraries for SSL authentication. You can verify the current status of the certification at the Cryptographic Modules Validation Program Web site address:
The security policy, which is available at the NIST site upon successful certification, includes requirements for secure configuration of the host operating system.
You can configure the SSL adapter to run in FIPS mode by setting the
SSLFIPS_140 parameter to
TRUE in the
fips.ora file. Ensure that the
fips.ora file is either located in the
/ldap/admin directory, or is in a location pointed to by the
FIPS_HOME environment variable.
This parameter is set to
FALSE by default. You must set it to
TRUE on both the client and the server for FIPS mode operation.
You can repeat this procedure in any Oracle Database home for any database server or client.
SSLFIPS_140parameter replaces the
SQLNET.SSLFIPS_140parameter used in Oracle Database 10g Release 2 (10.2). You must set the parameter in the
fips.orafile, and not the
A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see as to which cipher suite they will use when transmitting messages back and forth.
Only the following cipher suites are approved for FIPS validation:
Oracle Database SSL cipher suites are automatically set to FIPS approved cipher suites. If you wish to configure specific cipher suites, you can do so by editing the
SSL_CIPHER_SUITES parameter in the
sqlnet.ora or the
You can also use Oracle Net Manager to set this parameter on the server and the client.
See Also:"Step 1C: Set the Secure Sockets Layer Cipher Suites on the Server (Optional)" and "Step 2D: Set the Client Secure Sockets Layer Cipher Suites (Optional)" for more information on setting cipher suites.
Set execute permissions on all Oracle executable files to prevent the execution of Oracle Cryptographic Libraries by users who are unauthorized to do so, in accordance with the system security policy.
Set read and write permissions on all Oracle executable files to prevent accidental or deliberate reading or modification of Oracle Cryptographic Libraries by any user.
To comply with FIPS 140-2 Level 2 requirements, in the security policy, include procedures to prevent unauthorized users from reading, modifying or executing Oracle Cryptographic Libraries processes and the memory they are using in the operating system.
trace_directory_server=trace_dir trace_file_server=trace_file trace_level_server=trace_level
trace_directory=/private/oracle/owm trace_file_server=fips_trace.trc trace_level_server=6
Trace level 6 is the minimum trace level required to check the results of the FIPS self-tests.