Oracle enables you to use the Oracle Database for the Federal Information Processing Standard (FIPS) standard for 140-2.
You can configure Oracle Database for the Federal Information Processing Standard (FIPS), for the current standard, 140-2. FIPS is a U.S. government standard that defines security requirements for cryptographic modules.
The FIPS 140-2 cryptographic libraries are designed to protect data at rest and in transit over the network.
Oracle Database uses these cryptographic libraries for Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and
DBMS_CRYPTO PL/SQL package.
To verify the current status of the certification, you can find information at the Computer Security Resource Center (CSRC) Web site address from the National Institute of Standards and Technology:
You can find information specific to FIPS by searching for
Validated FIPS 140 Cryptographic Modules. The security policy, which is available on this site upon successful certification, includes requirements for secure configuration of the host operating system.
DBMS_CRYPTOPL/SQL package program units to run in FIPS mode, set the
DBFIPS_140initialization parameter to
Table E-1 describes how the
DBFIPS_140 parameter affects various platforms.
Table E-1 How the DBFIPS_140 Initialization Parameter Affects Platforms
|Platform||Effect of Setting DBFIPS_140 to TRUE or FALSE|
Linux or Windows on Intel x86_64
Solaris 11.1+ on either SPARC T-series or Intel x86_64
Other operating systems or hardware
Be aware that setting
TRUE and thus using the underlying library in FIPS mode incurs a certain amount of overhead when the library is first loaded. This is due to the verification of the signature and the execution of the self tests on the library. Once the library is loaded, then there is no other impact on performance.
Oracle Database Reference for more information about the
DBFIPS_140 initialization parameter
You can configure the
SSLFIPS_140 parameter for Secure Sockets Layer.
You can configure the Secure Socket Layer (SSL) adapter to run in FIPS mode by setting the
SSLFIPS_140 parameter to
TRUE in the
fips.orafile is either located in the
/ldap/admindirectory, or is in a location pointed to by the
For example, to set
This parameter is set to
FALSE by default. You must set it to
TRUE on both the client and the server for FIPS mode operation.
When you set
TRUE, Secure Sockets Layer cryptographic operations take place in the embedded RSA/Micro Edition Suite (MES) library in FIPS mode. These cryptographic operations are accelerated by the CPU when hardware acceleration is available and properly configured in the host hardware and software.
If you set
FALSE, then Secure Sockets Layer cryptographic operations take place in the embedded RSA/Micro Edition Suite (MES) library in non-FIPS mode, and as with the
TRUE setting, the operations are accelerated if possible.
For native encryption, this behavior of cryptographic operations landing in RSA/Micro Edition Suite (MES) and being accelerated is similar to the above, except that it is determined by the
FIPS_140 setting in
sqlnet.ora (instead of the
SSL_FIPS140 setting in
SSLFIPS_140 parameter replaces the
SQLNET.SSLFIPS_140 parameter used in Oracle Database 10g Release 2 (10.2). You must set the parameter in the
fips.ora file, and not the
A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes.
During an SSL handshake, for example, the two nodes negotiate to see as to which cipher suite they will use when transmitting messages back and forth.
Only the following cipher suites are approved for FIPS validation:
Oracle Database SSL cipher suites are automatically set to FIPS approved cipher suites. If you wish to configure specific cipher suites, you can do so by editing the
SSL_CIPHER_SUITES parameter in the
sqlnet.ora or the
You can also use Oracle Net Manager to set this parameter on the server and the client.
"Step 1C: Set the Secure Sockets Layer Cipher Suites on the Server (Optional)" and "Step 2D: Set the Client Secure Sockets Layer Cipher Suites (Optional)" for more information on setting cipher suites.
After you configure the FIPS 140-2 settings, you must verify permissions in the operating system.
The permissions are as follows:
Set execute permissions on all Oracle executable files to prevent the execution of Oracle Cryptographic Libraries by users who are unauthorized to do so, in accordance with the system security policy.
Set read and write permissions on all Oracle executable files to prevent accidental or deliberate reading or modification of Oracle Cryptographic Libraries by any user.
To comply with FIPS 140-2 Level 2 requirements, in the security policy, include procedures to prevent unauthorized users from reading, modifying or executing Oracle Cryptographic Libraries processes and the memory they are using in the operating system.
To check if FIPS mode is enabled for SSL, you can enable tracing in the
sqlnet.ora file. You can find FIPS self-test messages in the trace file.
sqlnet.orato enable tracing:
trace_directory_server=trace_dir trace_file_server=trace_file trace_level_server=trace_level
trace_directory=/private/oracle/owm trace_file_server=fips_trace.trc trace_level_server=6
DBMS_CRYPTO, log into SQL*Plus and run the following command:
SHOW PARAMETER DBFIPS_140
Trace level 6 is the minimum trace level required to check the results of the FIPS self-tests.