Skip Headers
Oracle® Database Security Guide
12c Release 1 (12.1)

E48135-10
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

E Oracle Database FIPS 140 Settings

This appendix contains:

About the Oracle Database FIPS 140 Settings

This appendix describes how to configure Oracle Database for the Federal Information Processing Standard (FIPS), for the current standard, 140-2, and for 140-1. You can verify the current status of the certification at the Cryptographic Modules Validation Program Web site address:

http://csrc.nist.gov/cryptval/

The security policy, which is available at the NIST site upon successful certification, includes requirements for secure configuration of the host operating system.

Configuring Oracle Database for FIPS 140-2

This section contains:

About the FIPS 140-2 Settings

The cryptographic libraries included in Oracle Database are designed to meet Federal Information Processing Standard (FIPS) 140-2 Level 2 certification. These libraries are designed to protect data at rest and in transit over the network. Oracle Database uses these cryptographic libraries for Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and DBMS_CRYPTO PL/SQL package authentication.

Configuring FIPS 140-2 for Transparent Data Encryption and DBMS_CRYPTO

To configure Transparent Data Encryption and the DBMS_CRYPTO PL/SQL package program units to run in FIPS mode, set the DBFIPS_140 initialization parameter to TRUE. The effect of this parameter depends on the platform.

Table E-1 describes how the DBFIPS_140 parameter affects various platforms.

Table E-1 How the DBFIPS_140 Initialization Parameter Affects Platforms

Platform Effect of Setting DBFIPS_140 to TRUE or FALSE

Linux or Windows on Intel x86_64

  • TRUE: TDE and DBMS_CRYPTO program units use the embedded FIPS library from RSA FIPS mode

  • FALSE: TDE and DBMS_CRYPTO program units use the embedded non-FIPS library from Intel

Solaris 11.1+ on either SPARC T-series or Intel x86_64

  • TRUE: TDE and DBMS_CRYPTO program units use MES 4.0.5.1 FIPS mode

  • FALSE: TDE and DBMS_CRYPTO program units use the embedded FIPS library from Solaris

Other operating systems or hardware

  • TRUE: TDE and DBMS_CRYPTO program units use MES 4.0.5.1 FIPS mode

  • FALSE: TDE and DBMS_CRYPTO program units use MES 4.0.5.1 non-FIPS mode


In addition, all of the libraries that are described in Table E-1 benefit from CPU-based hardware acceleration when it is available in the underlying hardware and software configuration. Note that the different cryptographic libraries have different performance characteristics, and you may observe different levels of acceleration.

Use ALTER SYSTEM to set the DBFIPS_140 parameter. For example:

ALTER SYSTEM SET DBFIPS_140 = TRUE;

After you set DBFIPS_140, you must restart the database.

Be aware that setting DBFIPS_140 to TRUE and thus using the underlying library in FIPS mode incurs a certain amount of overhead when the library is first loaded. This is due to the verification of the signature and the execution of the self tests on the library. Once the library is loaded, then there is no other impact on performance.

See Also:

Oracle Database Reference for more information about the DBFIPS_140 initialization parameter

Configuring FIPS 140-2 for Secure Sockets Layer

This section contains:

Configuring the SSLFIPS_140 Parameter for Secure Sockets Layer

You can configure the Secure Socket Layer (SSL) adapter to run in FIPS mode by setting the SSLFIPS_140 parameter to TRUE in the fips.ora file. Ensure that the fips.ora file is either located in the $ORACLE_HOME/ldap/admin directory, or is in a location pointed to by the FIPS_HOME environment variable.

When you set SSLFIPS_140 to TRUE, Secure Sockets Layer cryptographic operations take place in the embedded FIPS library from RSA FIPS mode. These cryptographic operations are accelerated by the CPU when hardware acceleration is available and properly configured in the host hardware and software.

If you set SSLFIPS_140 to FALSE, then Secure Sockets Layer cryptographic operations take place in the embedded FIPS library from RSA non-FIPS mode, and as with the TRUE setting, the operations are accelerated if possible.

For example, to set SSLFIPS_140 to TRUE:

SSLFIPS_140=TRUE

This parameter is set to FALSE by default. You must set it to TRUE on both the client and the server for FIPS mode operation.

You can repeat this procedure in any Oracle Database home for any database server or client.

Note:

The SSLFIPS_140 parameter replaces the SQLNET.SSLFIPS_140 parameter used in Oracle Database 10g Release 2 (10.2). You must set the parameter in the fips.ora file, and not the sqlnet.ora file.

Selecting SSL Cipher Suites for FIPS 140-2

A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see as to which cipher suite they will use when transmitting messages back and forth.

Only the following cipher suites are approved for FIPS validation:

  • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

  • SSL_DH_anon_WITH_DES_CBC_SHA

  • SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA

  • SSL_RSA_WITH_AES_256_CBC_SHA

  • SSL_RSA_WITH_AES_128_CBC_SHA

  • SSL_RSA_WITH_AES_256_GCM_SHA384

  • SSL_RSA_WITH_3DES_EDE_CBC_SHA

  • SSL_RSA_WITH_DES_CBC_SHA

  • SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

Oracle Database SSL cipher suites are automatically set to FIPS approved cipher suites. If you wish to configure specific cipher suites, you can do so by editing the SSL_CIPHER_SUITES parameter in the sqlnet.ora or the listener.ora file.

SSL_CIPHER_SUITES=(SSL_cipher_suite1[,SSL_cipher_suite2[,..]])

You can also use Oracle Net Manager to set this parameter on the server and the client.

Configuring the FIPS_140 Parameter for Network Data Encryption

You can configure network data encryption to run in FIPS mode by setting the FIPS_140 parameter to TRUE in the sqlnet.ora file. Ensure that the sqlnet.ora file is either located in the $ORACLE_HOME/network/admin directory, or is in a location pointed to by the TNS_ADMIN environment variable.

When you set FIPS_140 to TRUE, then network data encryption cryptographic operations take place in the embedded RSA library in FIPS mode. These cryptographic operations are accelerated by the CPU when hardware acceleration is available and properly configured in the host hardware and software.

If you set FIPS_140 to FALSE, then network data encryption cryptographic operations take place in the embedded RSA library in non-FIPS mode, and as with the TRUE setting, the operations are accelerated if possible.

For example, to set FIPS_140 to TRUE:

FIPS_140=TRUE

This parameter is set to FALSE by default. You must set it to TRUE on both the client and the server for FIPS mode operation.

You can repeat this procedure in any Oracle Database home for any database server or client.

Postinstallation Checks for FIPS 140-2

After you configure the FIPS 140-2 settings, you must verify the following permissions in the operating system:

  • Set execute permissions on all Oracle executable files to prevent the execution of Oracle Cryptographic Libraries by users who are unauthorized to do so, in accordance with the system security policy.

  • Set read and write permissions on all Oracle executable files to prevent accidental or deliberate reading or modification of Oracle Cryptographic Libraries by any user.

To comply with FIPS 140-2 Level 2 requirements, in the security policy, include procedures to prevent unauthorized users from reading, modifying or executing Oracle Cryptographic Libraries processes and the memory they are using in the operating system.

Verifying FIPS 140-2 Connections

To check if FIPS mode is enabled for SSL, you can enable tracing in the sqlnet.ora file. You can find FIPS self-test messages in the trace file. Add the following lines to sqlnet.ora to enable tracing:

trace_directory_server=trace_dir
trace_file_server=trace_file
trace_level_server=trace_level

For example:

trace_directory=/private/oracle/owm
trace_file_server=fips_trace.trc
trace_level_server=6

Trace level 6 is the minimum trace level required to check the results of the FIPS self-tests.

To check if FIPS mode is enabled for TDE and DBMS_CRYPTO, log into SQL*Plus and run the following command:

SHOW PARAMETER DBFIPS_140

Configuring Oracle Database for FIPS 140-1

This section contains:

About the FIPS 140-1 Settings

The Oracle Database Federal Information Processing Standard (FIPS) 140-1 implementation has been validated under Federal Information Processing Standard (FIPS) 140-1 at the Level 2 security level. This section describes the formal configuration required to comply with the FIPS 140-1 standard. Refer to the NIST Cryptographic Modules Validation list at the following Web site address:

http://csrc.nist.gov/cryptval/140-1/1401val.htm

sqlnet.ora FIPS 140-1 Configuration Parameters

This section contains:

About the sqlnet.ora FIPS 140-1 Configuration Parameters

This appendix contains information about the Oracle Database parameters required in the sqlnet.ora files to ensure that any connections created between a client and server are encrypted under the control of the server.

By default, the sqlnet.ora file is located in the ORACLE_HOME/network/admin directory or in the location set by the TNS_ADMIN environment variable. Ensure that you have properly set the TNS_ADMIN variable to point to the correct sqlnet.ora file. See SQL*Plus User's Guide and Reference for more information and examples of setting the TNS_ADMIN variable.

These configuration parameters are contained in the sqlnet.ora file that is held locally for each of the client and server processes. The protection placed on these files should be equivalent to the level of a database administrator.

The FIPS 140-1-related sqlnet.ora parameters are as follows:

  • ENCRYPTION_SERVER

  • ENCRYPTION_CLIENT

  • ENCRYPTION_TYPES_SERVER

  • ENCRYPTION_TYPES_CLIENT

  • FIPS_140

Server Encryption Level Setting

The server side of the negotiation notionally controls the connection settings. You must include the following parameter in the server sqlnet.ora file:

SQLNET.ENCRYPTION_SERVER=REQUIRED

Setting the encryption as REQUIRED on the server side of the connection permits a connection only if encryption is used, irrespective of the parameter value on the client.

Client Encryption Level Setting

The ENCRYPTION_CLIENT sqlnet.ora parameter specifies the connection behavior for the client. One of the following parameter settings in the client file is mandatory:

SQLNET.ENCRYPTION_CLIENT=(ACCEPTED|REQUESTED|REQUIRED)

A connection to the server is only possible if there is agreement between client and server for the connection encryption. The server has this set to REQUIRED, therefore the client must not reject encryption for a valid connection to be the result. Failure to specify one of these values results in error when attempting to connect to a FIPS 140-1 compliant server.

Server Encryption Selection List

The ENCRYPTION_TYPES_SERVER sqlnet.ora parameter specifies a list of encryption algorithms that the server can use when acting as a server in the order of required usage. Ensure that you have installed the specified algorithm, or else the connection terminates. For FIPS 140-1 compliance, only DES encryption is permitted and therefore the following parameter setting is mandatory:

SQLNET.ENCRYPTION_TYPES_SERVER=(DES,DES40)

Client Encryption Selection List

The ENCRYPTION_TYPES_CLIENT sqlnet.ora parameter specifies the list of encryption algorithms that the client is prepared to use for the connection with the server. In order for a connection to be successful, ensure that the algorithm is installed and that the encryption type is mutually acceptable to the server.

To create a connection with a server that is configured for FIPS 140-1, the following parameter setting is mandatory:

SQLNET.ENCRYPTION_TYPES_CLIENT=(DES,DES40)

FIPS Parameter

The default setting of the FIPS_140 sqlnet.ora parameter is FALSE. Setting the parameter to TRUE is mandatory for both client and server to ensure Oracle Database complies with the standards defined in FIPS 140-1 as follows:

SQLNET.FIPS_140=TRUE

Note:

Use a text editor to set the FIPS_140 parameter in the sqlnet.ora file. You cannot use Oracle Net Manager to set this parameter.

Postinstallation Checks for FIPS 140-1

After you configure your database for FIPS 140-1, you must verify the following permissions the operating system:

  • Set the execute permissions on all Oracle executable files to prevent execution by users who are unauthorized to do so in accordance with the system security policy.

  • Set read and write permissions on all executable files to prevent accidental or deliberate reading or modification of Oracle files by any user.

To comply with FIPS 140-1 Level 2 requirements, in the security policy, include procedures to prevent unauthorized users from reading or modifying Oracle processes and the memory they are using in the operating system.

Status Information for FIPS 140-1

Status information for Oracle Database is available after the connection has been established. The information is contained in the RDBMS virtual table V$SESSION_CONNECT_INFO.

Query SELECT * from V$SESSION_CONNECT_INFO to display the product banner information for the active connection. Table E-2 shows an example of a connection configuration where both DES encryption and MD5 data integrity is defined:

Table E-2 Sample Output from V$SESSION_CONNECT_INFO

SID AUTHENTICATION OSUSER NETWORK_SERVICE_BANNER

7

DATABASE

oracle

Oracle Bequeath operating system adapter for Solaris, v8.1.6.0.0

7

DATABASE

oracle

l: encryption service for Solaris

7

DATABASE

oracle

DES encryption service adapter

7

DATABASE

oracle

crypto-checksumming service

7

DATABASE

oracle

MD5 crypto-checksumming service adapter


Physical Security of Computers Using FIPS 140-1

To comply with FIPS 140-1 Level 2 requirements, you must apply tamper-evident seals to the cover of each computer to ensure that the removal of the cover is detectable.