FIPS 140 Algorithms and Kerberos Encryption Types

Language:

You can configure Kerberos to run in FIPS 140 mode in Oracle Solaris. If your realm contains legacy applications or systems that are not FIPS 140-compliant, then the realm cannot run in FIPS 140 mode.

When running in FIPS 140 mode, Kerberos is said to be a consumer of the FIPS 140 provider The provider in Oracle Solaris is the Cryptographic Framework. The only Kerberos encryption type that is FIPS 140-validated for the Cryptographic Framework is des3-cbc-sha1. It is not the default. For instructions, see How to Configure Kerberos to Run in FIPS 140 Mode.

Note - If you have a strict requirement to use only FIPS 140-2 validated cryptography, you must be running the Oracle Solaris 11.1 SRU 5.5 release or the Oracle Solaris 11.1 SRU 3 release. Oracle completed a FIPS 140-2 validation against the Cryptographic Framework in these two specific releases. Oracle Solaris 11.2 builds on this validated foundation and includes software improvements that address performance, functionality, and reliability. Whenever possible, you should configure Oracle Solaris 11.2 in FIPS 140-2 mode to take advantage of these improvements.