To run in FIPS 140-2 mode, applications on your FIPS 140-2-enabled system must use algorithms that the U.S. government has validated for FIPS 140-2 mode on Oracle Solaris. When FIPS 140-2 providers are enabled, some consumers use FIPS 140-2 algorithms by default, for example, the passwd command. Other consumers require configuration to use only FIPS 140-2 algorithms.
As an administrator, you are responsible for configuring consumers to use FIPS 140-2 algorithms that are validated for Oracle Solaris and avoiding invalid algorithms. Follow these guidelines:
Avoid an algorithm that is available on Oracle Solaris but is not part of the FIPS 140-2 validation for Oracle Solaris, for example, two-key Triple DES.
Avoid an algorithm that is part of the FIPS 140-2 certificate for Oracle Solaris but that has a key length shorter than FIPS 140-2 requires, for example, 1024-bit RSA.
Avoid an algorithm that is part of the FIPS 140-2 certificate for Oracle Solaris but the consumer cannot use it, for example, Elliptic-Curve Cryptography (ECC) over a Koblitz curve for IKEv2. IKEv2 supports ECC over primes only.
Avoid all algorithms that are not part of the FIPS 140-2 certificate for Oracle Solaris but are in the Cryptographic Framework, for example, the MD5 symmetric key algorithm and weaker versions of other symmetric algorithms.
Specify FIPS 140-2 algorithms only, even when other algorithms are available to consumers. Many consumers fall in this category.
Oracle Solaris 11.3 provides two versions of the Apache HTTP Server. Version 2.4 installs as the package pkg:/web/server/apache-24 and Version 2.2 installs as the package pkg:/web/server/apache-22. To run in FIPS 140-2 mode, Version 2.4 can use either the FIPS 140-2 OpenSSL provider or the PKCS #11 engine option. Version 2.2 must use the PKCS #11 engine option, which is the Cryptographic Framework.
You can use either the Cryptographic Framework (pktool gencert command) or the FIPS 140-2 version of OpenSSL (openssl -newkey command) to generate the web server certificate.
For the configuration steps, see Example of Running in FIPS 140-2 Mode on an Oracle Solaris 11.3 SRU 5.6 System.
See also:
openssl (1openssl) man page
openssl(5) man page
ksslcfg(1M) man page
Oracle Solaris 11.3 provides two implementations of Secure Shell: OpenSSH and SunSSH. Both implementations can run in FIPS 140-2 mode.
For OpenSSH, you must install the openssh package. When the FIPS 140-2 version of OpenSSL is enabled, OpenSSH runs in FIPS 140-2 mode.
For SunSSH, you must configure it to run in FIPS 140-2 mode. For more information, see SunSSH and FIPS 140-2 in Managing Secure Shell Access in Oracle Solaris 11.3, which includes the list of validated FIPS 140-2 algorithms.
For a sample configuration, see Example of Running in FIPS 140-2 Mode on an Oracle Solaris 11.3 SRU 5.6 System.
See also:
sshd_config(4) and ssh_config(4) man pages
ssh-keygen(1) man page
IP Security Architecture (IPsec) provides cryptographic protection for IP packets in IPv4 and IPv6 networks. Internet Key Management (IKE) provides automated key management for IPsec. In Oracle Solaris, IPsec is a consumer of the kernel Cryptographic Framework and IKE version 2 (IKEv2) is a consumer of the userland Cryptographic Framework. As the IPsec and IKE administrator, you are responsible for using IKEv2 with IPsec and for choosing FIPS 140-2 algorithms that are validated for Oracle Solaris.
To ensure that IPsec and IKEv2 run in FIPS 140-2 mode, you must specify FIPS 140-2 algorithms after booting into an Oracle Solaris system where FIPS 140-2 mode is enabled. You are responsible for using FIPS 140-2 algorithms in IPsec and IKEv2 configuration files, and for key types and hash types for certificates and certificate signing requests (CSRs) that you generate with the ikev2cert command. For a summary list, see IPsec and FIPS 140-2 in Securing the Network in Oracle Solaris 11.3. For the full list of validated algorithms, review FIPS 140-2 Algorithms in the Cryptographic Framework.
See also:
ipsecconf(1M), ikev2cert(1M), ikev2.config(4), and pktool(1) man pages
The Kerberos client installs as the package pkg:/security/kerberos-5, and the KDC manager installs as the package pkg:/security/kerberos-5/kdc. As the Kerberos administrator, you are responsible for enabling Kerberos servers, the Kerberos database, and Kerberos clients to use the FIPS 140-2 algorithm that is validated for Oracle Solaris.
Several Kerberos configuration files specify the encryption types to use for the KDC database and Kerberos clients. In those files, you must configure Kerberos to use FIPS 140-2 encryption types only and to disallow weak keys.
For the procedure, see How to Configure Kerberos to Run in FIPS 140-2 Mode in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.
See also:
kdc.conf(4) and krb5.conf(4) man pages
kdb5_util(1M), and krb5kdc(1M) man pages
The Key Management Framework (KMF) manages cryptographic keys and cryptographic policy in Oracle Solaris. pktool is the KMF command for creating symmetric and asymmetric keys. As the KMF administrator, you are responsible for choosing FIPS 140-2 algorithms that are validated for Oracle Solaris. See examples in How to Create a Certificate by Using the pktool gencert Command in Managing Encryption and Certificates in Oracle Solaris 11.3 and the pktool(1) man page.
The passwd command is a consumer of the userland Cryptographic Framework. Two configuration files, /etc/security/crypt.conf and /etc/security/policy.conf, determine which password hash the system uses.
The passwd command calls the crypt() function by using the PAM modules pam_authtok_store.so.1 and pam_unix_auth.so.1. The crypt() function dynamically loads plugins from the message digest library, libmd(), based on entries in the crypt.conf file. Available plugins include SHA256, SHA512, and MD5. The policy.conf file lists the plugins that are allowed. By default, the policy.conf file does not allow the use of MD5.
For examples, see Creating a Login for a Trusted User in Securing Users and Processes in Oracle Solaris 11.3 and Creating a Role in Securing Users and Processes in Oracle Solaris 11.3.
See also:
crypt(3C) and libmd(3LIB) man pages
crypt.conf(4) and policy.conf(4) man pages
The user commands encrypt, decrypt, digest, and mac are consumers of the Cryptographic Framework. The site security team should guide regular users to choose FIPS 140-2 algorithms of a validated key length.
For examples, see the following:
encrypt(1), decrypt(1), digest(1), and mac(1) man pages