By default, FIPS 140 mode is disabled in Oracle Solaris. In this procedure, you create a new boot environment (BE) for FIPS 140 mode, then enable FIPS 140 and boot into the new BE. By giving you a backup BE, this method enables you to quickly recover from system panics that can result from FIPS 140 compliance tests.
For an overview about FIPS, see Using a FIPS 140 Enabled System in Oracle Solaris 11.2 . See, also, the cryptoadm(1M) man page and Cryptographic Framework and FIPS 140.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
% cryptoadm list fips-140 User-level providers: ===================== /usr/lib/security/$ISA/pkcs11_softtoken: FIPS-140 mode is disabled. Kernel software providers: ========================== des: FIPS-140 mode is disabled. aes: FIPS-140 mode is disabled. ecc: FIPS-140 mode is disabled. sha1: FIPS-140 mode is disabled. sha2: FIPS-140 mode is disabled. rsa: FIPS-140 mode is disabled. swrand: FIPS-140 mode is disabled. Kernel hardware providers: =========================:
Before you enable FIPS 140 mode, you must first create, activate, and boot a new BE by using the beadm command. A FIPS 140-enabled system runs compliance tests that can cause a panic if they fail. Therefore, it is important to have an available BE that you can boot to get your system up and running while you debug issues with the FIPS 140 boundary.
In this example, you create a BE named S11.1-FIPS.
# beadm create S11.1-FIPS-140
# beadm activate S11.1-FIPS-140
# cryptoadm enable fips-140
For more information about the effects of FIPS 140 mode, see Using a FIPS 140 Enabled System in Oracle Solaris 11.2 . See, also, the cryptoadm(1M) man page.
You can reboot to the original BE or disable FIPS 140 in the current BE.
# beadm list BE Active Mountpoint Space Policy Created -- ------ ---------- ----- ------ ------- S11.1 - - 48.22G static 2012-10-10 10:10 S11.1-FIPS-140 NR / 287.01M static 2012-11-18 18:18 # beadm activate S11.1 # beadm list BE Active Mountpoint Space Policy Created -- ------ ---------- ----- ------ ------- S11.1 R - 48.22G static 2012-10-10 10:10 S11.1-FIPS-140 N / 287.01M static 2012-11-18 18:18 # reboot
# cryptoadm disable fips-140
FIPS 140 mode remains in operation until the system is rebooted.
# reboot