Using a FIPS 140 Enabled System in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Introduction to FIPS 140-2 Level 1 Cryptography in Oracle Solaris

In December 2013, the U.S. National Institute of Standards and Technology (NIST) issued four certificates that validate the Cryptographic Framework feature of Oracle Solaris to the FIPS 140-2 Level 1 standard. The Oracle Solaris certificates are numbered 2060, 2061, 2076, and 2077, and are based on the Oracle Solaris 11.1 SRU 3 and SRU 5.5 releases. The Oracle Solaris 11.2 release in FIPS 140 mode uses the same algorithms.

The OpenSSL module that runs on Oracle Solaris 11.2 was validated for FIPS 140-2 in November 2013 and issued certificate 1747. Any application that uses OpenSSL for its cryptography can use this validated module. For links to the certificates, see FIPS 140-2 Level 1 Certificate References for Oracle Solaris Systems. For the Oracle Solaris 11.1 releases, the OpenSSL FIPS 140 module is private. The only application that can take advantage of it is the Solaris version of Secure Shell (SSH).

FIPS 140, a U.S. Federal Information Processing Standard, is a requirement for many regulated industries and U.S. government agencies that process sensitive but unclassified information. The aim of FIPS 140 is to provide a degree of assurance that the system has implemented the cryptography correctly. Providing FIPS 140-2 Level 1 cryptography on a computer system is called “running in FIPS 140 mode”.

A system that is running in FIPS 140 mode has enabled at least one provider of FIPS 140 cryptography. Some applications use FIPS 140 cryptography automatically, for example the passwd command. Other applications must be enabled in FIPS 140 mode, for example, SSH, while other applications run in FIPS 140 mode when their provider is enabled and the application uses FIPS 140 cryptography only, for example, Kerberos, IPsec, and the Apache Web Server.