How to Enable the FIPS 140 Providers in Oracle Solaris

Language:

For an example of enabling the providers in FIPS 140 mode and enabling applications to use them, see Example of Enabling Two Applications in FIPS 140 Mode on an Oracle Solaris System.

To run the Cryptographic Framework in FIPS 140 mode, see How to Create a Boot Environment with FIPS 140 Enabled in Managing Encryption and Certificates in Oracle Solaris 11.2 .
To run OpenSSL in FIPS 140 mode, see OpenSSL Support in Oracle Solaris in Managing Encryption and Certificates in Oracle Solaris 11.2 .

About the Cryptographic Framework in FIPS 140 Mode

The Cryptographic Framework implements many cryptographic algorithms with varying key lengths. Each variant of an algorithm is called a mechanism. Not all mechanisms are validated for FIPS 140.

When running in FIPS 140 mode, the userland Cryptographic Framework does not enforce the use of FIPS 140-approved algorithms. This design choice enables you to apply your own security policy.

Tip - To accommodate a legacy system, non-compliant applications, or problem resolution, you can leave all Cryptographic Framework algorithms enabled. For strict enforcement of FIPS 140 mode, you can disable non-FIPS 140 algorithms in the Cryptographic Framework. For an example, see the final steps in Example of Enabling Two Applications in FIPS 140 Mode on an Oracle Solaris System.

After enabling the providers in FIPS 140 mode, you must configure applications and programs to use FIPS 140 algorithms.

The cryptoadm and pktool commands list the algorithms that the Cryptographic Framework supports.

For a complete list of cryptographic mechanisms, use the cryptoadm list -vm command. See the cryptoadm(1M) man page.
For the list of curves for ECC algorithms, use the pktool gencert listcurves command. See the pktool(1) man page.

For the list of ECC curves in Oracle Solaris that are FIPS 140-validated for Oracle Solaris, see FIPS 140 Algorithms in the Cryptographic Framework.
For a complete list of FIPS 140 algorithms that are validated for the Cryptographic Framework, review the Oracle Solaris security policies that are listed in FIPS 140-2 Level 1 Certificate References for Oracle Solaris Systems. The supported algorithms differ slightly between the kernel Cryptographic Framework and the userland Cryptographic Framework.

About OpenSSL in FIPS 140 Mode in Oracle Solaris

When running in FIPS 140 mode, OpenSSL as a FIPS 140-2 provider enforces the use of FIPS 140-validated algorithms. Therefore, the SSH consumer is prevented from using algorithms that are not validated. The Apache Web Server uses the PKCS #11 engine, so the OpenSSL module does not enforce the server's use of FIPS 140 algorithms.

For background and examples, see the following:

OpenSSL Support in Oracle Solaris in Managing Encryption and Certificates in Oracle Solaris 11.2 .
OpenSSL on Oracle Solaris 11.2.
openssl(5) man page

Note - For an example of configuring OpenSSL in FIPS 140 mode, see Example of Enabling Two Applications in FIPS 140 Mode on an Oracle Solaris System.