IPsec and FIPS 140

Language:

You can easily configure IPsec to comply with FIPS 140 requirements on a FIPS 140-enabled system. You are responsible for choosing only FIPS 140-validated algorithms to create keys and certificates. The procedures and examples in this guide use FIPS 140-approved algorithms except when the algorithm any is specified.

Note - If you have a strict requirement to use only FIPS 140-2 validated cryptography, you must be running the Oracle Solaris 11.1 SRU 5.5 release or the Oracle Solaris 11.1 SRU 3 release. Oracle completed a FIPS 140-2 validation against the Cryptographic Framework in these two specific releases. Oracle Solaris 11.2 builds on this validated foundation and includes software improvements that address performance, functionality, and reliability. Whenever possible, you should configure Oracle Solaris 11.2 in FIPS 140-2 mode to take advantage of these improvements.

The following mechanisms are available to IPsec and approved for use in Oracle Solaris in FIPS 140 mode:

AES in CBC, CCM, GCM, and GMAC modes in 128-bit to 256-bit key lengths
3DES
SHA1
SHA2 in 256-bit and 512-bit key lengths

For the definitive list of FIPS 140-validated algorithms for Oracle Solaris, see http://www.oracle.com/technetwork/topics/security/140sp2061-2082028.pdf. For a fuller discussion, see Using a FIPS 140 Enabled System in Oracle Solaris 11.2 .