Go to main content

Managing Encryption and Certificates in Oracle® Solaris 11.4

Exit Print View

Updated: May 2021
 
 

Enabling FIPS 140-2 Mode in Oracle Solaris

By default, FIPS 140-2 mode is disabled in Oracle Solaris. In this procedure, you create a boot environment (BE) for FIPS 140-2 mode, then activate and boot the new BE.

How to Create a Boot Environment With FIPS 140-2 Enabled

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Determine whether the system is in FIPS 140-2 mode.
    $ cryptoadm list fips-140
    User-level providers:
    =====================
    /usr/lib/security/$ISA/pkcs11_softtoken: FIPS 140 mode is disabled.
    
    Kernel providers:
    =================
    des: FIPS 140 mode is disabled.
    aes: FIPS 140 mode is disabled.
    ecc: FIPS 140 mode is disabled.
    sha1: FIPS 140 mode is disabled.
    sha2: FIPS 140 mode is disabled.
    sha3: FIPS 140 mode is disabled.
    rsa: FIPS 140 mode is disabled.
    swrand: FIPS 140 mode is disabled.
  2. Enable FIPS 140-2 mode.

    This command creates a BE in FIPS 140-2 mode. If the fips-140 package is not yet loaded, this command also loads the package.

    # cryptoadm enable fips-140
  3. (Optional) List the BEs.
    $ beadm list
    BE                  Flags  Mountpoint Space   Policy Created
    --                  ------ ---------- ------  ------ ----------------
    S114Jan             -      -          48.22G  static 2018-01-10 10:10
    S114Jan-1           NR     /         287.01M  static 2018-01-20 10:10

    Caution  -  A FIPS 140-2 enabled system runs compliance tests that can cause a panic if they fail. Therefore, retain the original BE.


  4. Activate the FIPS 140-2 BE and reboot.
    # beadm activate S114Jan-1
    # reboot

    You are now running in FIPS 140-2 mode.


    Note -  FIPS 140-2 mode does not disable the non-FIPS 140-2 approved algorithms from the user-level pkcs11_softtoken library and the kernel software providers. The consumers of the framework are responsible for using only FIPS 140-2 approved algorithms. For more information, see Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4 and the cryptoadm(8) man page.
  5. (Optional) To run without FIPS 140-2 enabled, boot a non-FIPS 140-2 BE.

    In this example, you reboot to the original BE.

    $ beadm list
    BE                  Flags  Mountpoint Space     Policy Created
    --                  ------ ---------- --------  ------ -----------------
    S114Jan             -      -            48.22G  static 2018-01-10 10:10
    S114Jan-1           NR     /           287.01M  static 2018-01-20 10:10
    # beadm activate S114Jan
    # beadm list
    BE                  Flags  Mountpoint Space     Policy Created
    --                  ------ ---------- -------   ------ -----------------
    S114Jan             R      -           48.22G   static 2018-01-10 10:10
    114Jan-1            N      /          287.01M   static 2018-01-20 10:10
    # reboot