To verify the current status of the certification, you can find information at the Cryptographic Modules Validation Program Web site address:
The security policy, which is available at the NIST site upon successful certification, includes requirements for secure configuration of the host operating system.
The FIPS 140-2 cryptographic libraries are designed to protect data at rest and in transit over the network.
Oracle Database uses these cryptographic libraries for Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and
DBMS_CRYPTO PL/SQL package.
To configure Transparent Data Encryption and the
DBMS_CRYPTO PL/SQL package program units to run in FIPS mode, set the
DBFIPS_140 initialization parameter to
TRUE. The effect of this parameter depends on the platform.
ALTER SYSTEM to set the
See Table E-1 for the correct settings to use.
ALTER SYSTEM SET DBFIPS_140 = TRUE;
Restart the database.
SHUTDOWN IMMEDIATE STARTUP
Table E-1 describes how the
DBFIPS_140 parameter affects various platforms.
|Platform||Effect of Setting DBFIPS_140 to TRUE or FALSE|
Linux or Windows on Intel x86_64
Solaris 11.1+ on either SPARC T-series or Intel x86_64
Other operating systems or hardware
Be aware that setting
TRUE and thus using the underlying library in FIPS mode incurs a certain amount of overhead when the library is first loaded. This is due to the verification of the signature and the execution of the self tests on the library. Once the library is loaded, then there is no other impact on performance.
See Also:Oracle Database Reference for more information about the
You can configure the
SSLFIPS_140 parameter for Secure Sockets Layer.
Ensure that the
fips.ora file is either located in the
/ldap/admin directory, or is in a location pointed to by the
FIPS_HOME environment variable.
In the fips.ora file, set SSLFIPS_140.
For example, to set
This parameter is set to
FALSE by default. You must set it to
TRUE on both the client and the server for FIPS mode operation.
Repeat this procedure in any Oracle Database home for any database server or client.
When you set
TRUE, Secure Sockets Layer cryptographic operations take place in the embedded RSA/Micro Edition Suite (MES) library in FIPS mode. These cryptographic operations are accelerated by the CPU when hardware acceleration is available and properly configured in the host hardware and software.
If you set
FALSE, then Secure Sockets Layer cryptographic operations take place in the embedded RSA/Micro Edition Suite (MES) library in non-FIPS mode, and as with the
TRUE setting, the operations are accelerated if possible.
For native encryption, this behavior of cryptographic operations landing in RSA/Micro Edition Suite (MES) and being accelerated is similar to the above, except that it is determined by the
FIPS_140 setting in
sqlnet.ora (instead of the
SSL_FIPS140 setting in
SSLFIPS_140parameter replaces the
SQLNET.SSLFIPS_140parameter used in Oracle Database 10g Release 2 (10.2). You must set the parameter in the
fips.orafile, and not the
During an SSL handshake, for example, the two nodes negotiate to see as to which cipher suite they will use when transmitting messages back and forth.
Only the following cipher suites are approved for FIPS validation:
Oracle Database SSL cipher suites are automatically set to FIPS approved cipher suites. If you wish to configure specific cipher suites, you can do so by editing the
SSL_CIPHER_SUITES parameter in the
sqlnet.ora or the
You can also use Oracle Net Manager to set this parameter on the server and the client.
See Also:"Step 1C: Set the Secure Sockets Layer Cipher Suites on the Server (Optional)" and "Step 2D: Set the Client Secure Sockets Layer Cipher Suites (Optional)" for more information on setting cipher suites.
The permissions are as follows:
Set execute permissions on all Oracle executable files to prevent the execution of Oracle Cryptographic Libraries by users who are unauthorized to do so, in accordance with the system security policy.
To comply with FIPS 140-2 Level 2 requirements, in the security policy, include procedures to prevent unauthorized users from reading, modifying or executing Oracle Cryptographic Libraries processes and the memory they are using in the operating system.
Add the following lines to
sqlnet.ora to enable tracing:
trace_directory_server=trace_dir trace_file_server=trace_file trace_level_server=trace_level
trace_directory=/private/oracle/owm trace_file_server=fips_trace.trc trace_level_server=6
To check if FIPS mode is enabled for TDE and
DBMS_CRYPTO, log into SQL*Plus and run the following command:
SHOW PARAMETER DBFIPS_140
Trace level 6 is the minimum trace level required to check the results of the FIPS self-tests.
Oracle supports Federal Information Processing Standard (FIPS) 140-1.
Note:The information contained in this section should be used with the information provided in Appendix B, "Data Encryption and Integrity Parameters".
The Oracle Database Federal Information Processing Standard (FIPS) 140-1 implementation has been validated under Federal Information Processing Standard (FIPS) 140-1 at the Level 2 security level.
You must follows the formal configuration required to comply with the FIPS 140-1 standard. Refer to the NIST Cryptographic Modules Validation list at the following Web site address:
Oracle provides FIPS 140-1 parameters for the server and client level and selection lists.
By default, the
sqlnet.ora file is located in the
/network/admin directory or in the location set by the
TNS_ADMIN environment variable. Ensure that you have properly set the
TNS_ADMIN variable to point to the correct
sqlnet.ora file. See SQL*Plus User's Guide and Reference for more information and examples of setting the
These configuration parameters are contained in the
sqlnet.ora file that is held locally for each of the client and server processes. The protection placed on these files should be equivalent to the level of a DBA.
The FIPS 140-1-related
sqlnet.ora parameters are as follows:
You must include the following parameter in the server
Setting the encryption as
REQUIRED on the server side of the connection permits a connection only if encryption is used, irrespective of the parameter value on the client.
One of the following parameter settings in the client file is mandatory:
A connection to the server is only possible if there is agreement between client and server for the connection encryption. The server has this set to
REQUIRED, therefore the client must not reject encryption for a valid connection to be the result. Failure to specify one of these values results in error when attempting to connect to a FIPS 140-1 compliant server.
You should ensure that you have installed the specified algorithm, or else the connection terminates. For FIPS 140-1 compliance, only DES encryption is permitted and therefore the following parameter setting is mandatory:
In order for a connection to be successful, ensure that the algorithm is installed and that the encryption type is mutually acceptable to the server.
To create a connection with a server that is configured for FIPS 140-1, the following parameter setting is mandatory:
Setting the parameter to
TRUE is mandatory for both client and server to ensure Oracle Database complies with the standards defined in FIPS 140-1 as follows:
Note:Use a text editor to set the
FIPS_140parameter in the
sqlnet.orafile. You cannot use Oracle Net Manager to set this parameter.
Set the execute permissions on all Oracle executable files to prevent execution by users who are unauthorized to do so in accordance with the system security policy.
Set read and write permissions on all executable files to prevent accidental or deliberate reading or modification of Oracle files by any user.
To comply with FIPS 140-1 Level 2 requirements, in the security policy, include procedures to prevent unauthorized users from reading or modifying Oracle processes and the memory they are using in the operating system.
You can uery
SELECT * from V$SESSION_CONNECT_INFO to display the product banner information for the active connection.
Table E-2 shows an example of a connection configuration where both DES encryption and MD5 data integrity is defined: