Using a FIPS 140 Enabled System in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Enabling FIPS 140 Consumers on an Oracle Solaris System

To run in FIPS 140 mode, you must configure applications on your FIPS 140-enabled system to use algorithms that the U.S. government has validated for FIPS 140 mode on Oracle Solaris. When FIPS 140 providers are enabled, some consumers use FIPS 140 algorithms by default, for example, the passwd command. Other consumers require configuration to use only FIPS 140 algorithms.

    As an administrator, you are responsible for choosing FIPS 140 algorithms that are validated for Oracle Solaris and avoiding invalid algorithms by keeping in mind the following FIPS 140 configuration issues:

  • The algorithm is part of FIPS 140 but not part of the FIPS 140 validation for Oracle Solaris, for example, two-key Triple DES.

  • The algorithm is part of FIPS 140 but the key length is shorter than FIPS 140 requires, for example, 1024-bit RSA. A key length that is too short for FIPS 140 mode is the default for some commands in Oracle Solaris, for example, pktool gencert and ikev2cert gencert.

  • The algorithm is part of the FIPS 140 certificate for Oracle Solaris but is not available to the consumer, for example, Elliptic-Curve Cryptography (ECC) over a Koblitz curve for IKEv2. IKEv2 supports ECC over primes.

  • The algorithm is not part of FIPS 140 but is available to consumers, for example, the MD4 symmetric key algorithm and weaker versions of other symmetric algorithms.

  • The algorithm is validated for FIPS 140 use on Oracle Solaris but other algorithms are available to consumers, so as the administrator you must specify FIPS 140 algorithms only. Many consumers fall in this category.

Note -  If the consumer uses a module that cannot use FIPS 140-validated algorithms (for example, Internet Key Exchange Protocol Version 1 (IKEv1)), you cannot run these consumers on a FIPS 140 system.