Using a FIPS 140 Enabled System in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Hardware Acceleration and FIPS 140 Performance

The SPARC T4 and SPARC T5 processors on the Oracle SPARC T-Series servers provide cryptographic acceleration in the hardware, as do Intel AES-NI processors. The Cryptographic Framework was awarded FIPS 140 certificates for its use on SPARC T4 and SPARC T5 processors. OpenSSL was tested on SPARC T3 and Intel AES-NI processors for its FIPS 140 validation, but its validated version does not include inline instructions to the hardware.

Note -  The OpenSSL FIPS 140 module that ships with Oracle Solaris does not include hardware-accelerated cryptography. On an Intel system, OpenSSL makes use of assembly language optimizations for FIPS 140 cryptography.

For best performance, consumers of FIPS 140 providers should use hardware-accelerated cryptography where possible. However, because the OpenSSL module in FIPS 140 mode does not include inline instructions to the hardware, you should configure the Apache Web Server to use the PKCS #11 library. SSH uses the OpenSSL builtin engine and cannot be so configured. For more information, see Cryptographic Optimizations in SPARC T-4 Systems in Managing Encryption and Certificates in Oracle Solaris 11.2 . For an example, see Example of Enabling Two Applications in FIPS 140 Mode on an Oracle Solaris System.