FIPS 140 Algorithms and Kerberos Encryption Types
You can configure Kerberos to run in
FIPS 140 mode in Oracle Solaris. If your realm contains legacy applications or systems that are not
FIPS 140-compliant, then the realm cannot run in FIPS 140 mode.
When running in FIPS 140 mode, Kerberos is said to be a consumer of the
FIPS 140 provider The provider in Oracle Solaris is the Cryptographic Framework.
The only Kerberos encryption type that is FIPS 140-validated for the Cryptographic Framework is
des3-cbc-sha1. It is not the default. For instructions, see How to Configure Kerberos to Run in FIPS 140 Mode.
Note -
If you have a strict requirement to use only FIPS 140-2 validated cryptography, you must
be running the Oracle Solaris 11.1 SRU 5.5 release or the Oracle Solaris 11.1 SRU 3 release. Oracle completed a
FIPS 140-2 validation against the Cryptographic Framework in these two specific
releases. Oracle Solaris 11.2 builds on this validated foundation and includes software improvements
that address performance, functionality, and reliability.
Whenever possible, you should configure Oracle Solaris 11.2 in FIPS 140-2 mode to take advantage of these
improvements.