Because FIPS 140-2 provider modules are CPU intensive, they are not enabled by default. As the administrator, you are responsible for enabling the providers in FIPS 140-2 mode and configuring consumers.
The Oracle Solaris OS offers two providers of cryptographic algorithms that are validated for FIPS 140-2 Level 1:
The Cryptographic Framework feature of Oracle Solaris is the central cryptographic store on an Oracle Solaris system and provides two FIPS 140-2 modules. The userland module supplies cryptography for applications that run in user space and the kernel module provides cryptography for kernel-level processes. Both modules can leverage the algorithm acceleration from SPARC and x86 processors when available.
The Oracle Solaris Userland Cryptographic Framework module provides cryptography for any application that calls into it. The module provides encryption, decryption, hashing, secure random number generation, signature generation and verification, certificate generation and verification, message authentication functions, and key pair generation for RSA and DSA. User-level applications that call into the userland Cryptographic Framework run in FIPS 140-2 mode, for example, the passwd command and IKEv2.
The Oracle Solaris Kernel Cryptographic Framework module provides cryptography for the kernel module. The module provides encryption, decryption, hashing, secure random number generation, signature generation and verification, and message authentication functions. Kernel-level consumers, for example, Kerberos and IPsec, use proprietary APIs to call into the kernel Cryptographic Framework.
The OpenSSL object module provides cryptography for all consumers whose code supports FIPS 140-2.
OpenSSL is the Open Source toolkit for the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, and provides a cryptography library.
In Oracle Solaris, the FIPS 140-2 capable OpenSSL module supports two frequently used applications:
Secure Shell – Both the OpenSSH and the SunSSH implementations are supported.
Apache HTTP Server Version 2.4 – Can also use the Cryptographic Framework to run in FIPS 140-2 mode.
Apache HTTP Server Version 2.2 must use the Cryptographic Framework as its FIPS 140-2 provider. To run Version 2.2 in FIPS 140-2 mode, use the PKCS #11 engine rather than OpenSSL.
For an example of enabling the providers in FIPS 140-2 mode and enabling applications to use them, see Example of Running in FIPS 140-2 Mode on an Oracle Solaris 11.3 SRU 5.6 System.
To run the Cryptographic Framework in FIPS 140-2 mode, see How to Create a Boot Environment With FIPS 140-2 Enabled in Managing Encryption and Certificates in Oracle Solaris 11.3.
To run OpenSSL in FIPS 140-2 mode, see OpenSSL and Oracle Solaris in Managing Encryption and Certificates in Oracle Solaris 11.3.
The Cryptographic Framework implements many cryptographic algorithms with varying key lengths. Each variant of an algorithm is called a mechanism. Not all mechanisms are validated for FIPS 140-2.
When running in FIPS 140-2 mode, the userland Cryptographic Framework does not enforce the use of FIPS 140-2 validated algorithms. This design choice enables you to apply your own security policy.
After enabling the providers in FIPS 140-2 mode, you must configure applications and programs to use FIPS 140-2 algorithms.
The cryptoadm and pktool commands list the algorithms that the Cryptographic Framework supports.
To display a complete list of cryptographic mechanisms, use the cryptoadm list -vm command. See the cryptoadm(1M) man page.
To display the list of curves for ECC algorithms, use the pktool gencert listcurves command. See the pktool(1) man page.
For information about ECC curves in Oracle Solaris that are FIPS 140-2 validated for Oracle Solaris, see FIPS 140-2 Algorithms in the Cryptographic Framework.
For information about the FIPS 140-2 algorithms that are validated for the Cryptographic Framework, review the Oracle Solaris security policies that are listed in FIPS 140-2 Level 1 Guidance Documents for Oracle Solaris Systems. The supported algorithms differ slightly between the kernel Cryptographic Framework and the userland Cryptographic Framework.
When running in FIPS 140-2 mode, OpenSSL enforces the use of FIPS 140-2 validated algorithms. Therefore, applications that use OpenSSL in FIPS 140-2 mode cannot access invalid algorithms.
For more information and examples, see the following:
OpenSSL and Oracle Solaris in Managing Encryption and Certificates in Oracle Solaris 11.3
OpenSSL on Oracle Solaris 11.2 (https://blogs.oracle.com/solaris/openssl-on-oracle-solaris-112-v2)
openssl(5) man page
For best performance, consumers of FIPS 140-2 providers should use hardware-accelerated cryptography where possible. The Cryptographic Framework runs with hardware acceleration in FIPS 140-2 mode on the systems listed in Oracle Solaris System Hardware Validated for FIPS 140-2.
To get hardware acceleration on a SPARC T4 or SPARC T5 server when running OpenSSL in FIPS 140-2 mode, use the pkcs11 engine.
For more information, see SPARC Acceleration of Optimized Cryptographic Functions in Managing Encryption and Certificates in Oracle Solaris 11.3. For an example, see Example of Running in FIPS 140-2 Mode on an Oracle Solaris 11.3 SRU 5.6 System.