Managing Encryption and Certificates in Oracle® Solaris 11.2

Exit Print View

 
Updated: September 2014
 
 

Create a Boot Environment with FIPS 140 Enabled

By default, FIPS 140 mode is disabled in Oracle Solaris. In this procedure, you create a new boot environment (BE) for FIPS 140 mode, then enable FIPS 140 and boot into the new BE. By giving you a backup BE, this method enables you to quickly recover from system panics that can result from FIPS 140 compliance tests.

For an overview about FIPS, see Using a FIPS 140 Enabled System in Oracle Solaris 11.2 . See, also, the cryptoadm(1M) man page and Cryptographic Framework and FIPS 140.

How to Create a Boot Environment with FIPS 140 Enabled

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Determine if the system is in FIPS 140 mode. 
    % cryptoadm list fips-140
User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_softtoken: FIPS-140 mode is disabled.

Kernel software providers:
==========================
des: FIPS-140 mode is disabled.
aes: FIPS-140 mode is disabled.
ecc: FIPS-140 mode is disabled.
sha1: FIPS-140 mode is disabled.
sha2: FIPS-140 mode is disabled.
rsa: FIPS-140 mode is disabled.
swrand: FIPS-140 mode is disabled.

Kernel hardware providers:
=========================:
  2. Create a new BE for your FIPS 140 version of the Cryptographic Framework.

    Before you enable FIPS 140 mode, you must first create, activate, and boot a new BE by using the beadm command. A FIPS 140-enabled system runs compliance tests that can cause a panic if they fail. Therefore, it is important to have an available BE that you can boot to get your system up and running while you debug issues with the FIPS 140 boundary.

    1. Create a BE based on your current BE.

      In this example, you create a BE named S11.1-FIPS.

      # beadm create S11.1-FIPS-140
    2. Activate that BE. 
      # beadm activate S11.1-FIPS-140
    3. Reboot the system.
    4. Enable FIPS 140 mode in the new BE. 
      # cryptoadm enable fips-140
      Note -  This subcommand does not disable the non-FIPS 140 approved algorithms from the user-level pkcs11_softtoken library and the kernel software providers. The consumers of the framework are responsible for using only FIPS 140-approved algorithms.

      For more information about the effects of FIPS 140 mode, see Using a FIPS 140 Enabled System in Oracle Solaris 11.2 . See, also, the cryptoadm(1M) man page.

  3. When you want to run without FIPS 140 enabled, disable FIPS 140 mode.

    You can reboot to the original BE or disable FIPS 140 in the current BE.

    • Boot to the original BE. 
      # beadm list
BE               Active Mountpoint Space   Policy Created
--               ------ ---------- -----   ------ -------
S11.1            -      -          48.22G   static 2012-10-10 10:10
S11.1-FIPS-140   NR     /          287.01M  static 2012-11-18 18:18
# beadm activate S11.1
# beadm list
BE               Active Mountpoint Space   Policy Created
--               ------ ---------- -----   ------ -------
S11.1            R      -          48.22G   static 2012-10-10 10:10
S11.1-FIPS-140   N      /          287.01M  static 2012-11-18 18:18
# reboot
    • Disable FIPS 140 mode in the current BE and reboot. 
      # cryptoadm disable fips-140

      FIPS 140 mode remains in operation until the system is rebooted.

      # reboot
Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next