Using a FIPS 140 Enabled System in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Enabling FIPS 140 Providers on an Oracle Solaris System

    Oracle Solaris systems offer two providers of cryptographic algorithms that are validated for FIPS 140-2 Level 1.

  • The Cryptographic Framework feature of Oracle Solaris is the central cryptographic store on an Oracle Solaris system and provides two FIPS 140 modules. The userland module supplies cryptography for applications that run in user space and the kernel module provides cryptography for kernel-level processes.

    These library modules provide encryption, decryption, hashing, signature generation and verification, certificate generation and verification, and message authentication functions for applications. User-level applications that call into these modules run in FIPS 140 mode, for example, the passwd command and IKEv2. Kernel-level consumers, for example Kerberos and IPsec, use proprietary APIs to call into the kernel Cryptographic Framework.

  • The OpenSSL object module provides cryptography for SSH and web applications.

    OpenSSL is the Open Source toolkit for the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, and provides a cryptography library. In Oracle Solaris, SSH and the Apache Web Server are consumers of the OpenSSL FIPS 140 module.

    Oracle Solaris ships a FIPS 140 version of OpenSSL with Oracle Solaris 11.2 that is available to all consumers but the version shipped with Oracle Solaris 11.1 is available to Solaris SSH only.

Because FIPS 140-2 provider modules are CPU intensive, they are not enabled by default. As the administrator, you are responsible for enabling the providers in FIPS 140 mode and configuring consumers.

Note -  In this article, FIPS 140-validated means that you are running in FIPS 140 mode on an Oracle Solaris release that is validated by NIST. FIPS 140-approved means that the algorithms that you are using are the same as the algorithms in the FIPS 140 version, but might not be validated in an Oracle Solaris release.