For an example of enabling the providers in FIPS 140 mode and enabling applications to use them, see Example of Enabling Two Applications in FIPS 140 Mode on an Oracle Solaris System.
To run the Cryptographic Framework in FIPS 140 mode, see How to Create a Boot Environment with FIPS 140 Enabled in Managing Encryption and Certificates in Oracle Solaris 11.2 .
To run OpenSSL in FIPS 140 mode, see OpenSSL Support in Oracle Solaris in Managing Encryption and Certificates in Oracle Solaris 11.2 .
The Cryptographic Framework implements many cryptographic algorithms with varying key lengths. Each variant of an algorithm is called a mechanism. Not all mechanisms are validated for FIPS 140.
When running in FIPS 140 mode, the userland Cryptographic Framework does not enforce the use of FIPS 140-approved algorithms. This design choice enables you to apply your own security policy.
After enabling the providers in FIPS 140 mode, you must configure applications and programs to use FIPS 140 algorithms.
The cryptoadm and pktool commands list the algorithms that the Cryptographic Framework supports.
For a complete list of cryptographic mechanisms, use the cryptoadm list -vm command. See the cryptoadm(1M) man page.
For the list of curves for ECC algorithms, use the pktool gencert listcurves command. See the pktool(1) man page.
For the list of ECC curves in Oracle Solaris that are FIPS 140-validated for Oracle Solaris, see FIPS 140 Algorithms in the Cryptographic Framework.
For a complete list of FIPS 140 algorithms that are validated for the Cryptographic Framework, review the Oracle Solaris security policies that are listed in FIPS 140-2 Level 1 Certificate References for Oracle Solaris Systems. The supported algorithms differ slightly between the kernel Cryptographic Framework and the userland Cryptographic Framework.
When running in FIPS 140 mode, OpenSSL as a FIPS 140-2 provider enforces the use of FIPS 140-validated algorithms. Therefore, the SSH consumer is prevented from using algorithms that are not validated. The Apache Web Server uses the PKCS #11 engine, so the OpenSSL module does not enforce the server's use of FIPS 140 algorithms.
For background and examples, see the following:
openssl(5) man page