Go to main content

Using a FIPS 140-2 Enabled System in Oracle® Solaris 11.4

Exit Print View

Updated: May 2019
 
 

Enabling FIPS 140-2 Providers on an Oracle Solaris System

Because FIPS 140-2 provider modules are CPU intensive, they are not enabled by default. As the administrator, you are responsible for enabling the providers in FIPS 140-2 mode and configuring consumers.

    The Oracle Solaris OS offers two providers of cryptographic algorithms that are validated for FIPS 140-2 Level 1:

  • The Cryptographic Framework feature of Oracle Solaris is the central cryptographic store on an Oracle Solaris system and provides two FIPS 140-2 modules. The userland module supplies cryptography for applications that run in user space and the kernel module provides cryptography for kernel-level processes. Both modules can leverage the algorithm acceleration from SPARC and x86 processors when available.

    • The Oracle Solaris Userland Cryptographic Framework module provides cryptography for any application that calls into it. The module provides encryption, decryption, hashing, secure random number generation, signature generation and verification, certificate generation and verification, message authentication functions, and key pair generation for RSA and DSA. User-level applications that call into the userland Cryptographic Framework run in FIPS 140-2 mode, for example, the passwd command and IKEv2.

    • The Oracle Solaris Kernel Cryptographic Framework module provides cryptography for the kernel module. The module provides encryption, decryption, hashing, secure random number generation, signature generation and verification, and message authentication functions. Kernel-level consumers, for example, IPsec, use proprietary APIs to call into the kernel Cryptographic Framework.

  • The OpenSSL object module provides cryptography for all consumers whose code supports FIPS 140-2. After the FIPS 140-2 version of OpenSSL is enabled in your BE, OpenSSL runs in FIPS 140-2 mode and its consumers must use FIPS 140-2 cryptography. For how to enable the FIPS 140-2 version of OpenSSL, see Example of Running in FIPS 140-2 Mode on an Oracle Solaris 11.4 System.

    OpenSSL is the Open Source toolkit for the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, and provides a cryptography library.

How to Enable the FIPS 140-2 Providers in Oracle Solaris

For an example of enabling the providers in FIPS 140-2 mode and enabling applications to use them, see Example of Running in FIPS 140-2 Mode on an Oracle Solaris 11.4 System.

About the Cryptographic Framework in FIPS 140-2 Mode

The Cryptographic Framework implements many cryptographic algorithms with varying key lengths. Each variant of an algorithm is called a mechanism. Not all mechanisms are validated for FIPS 140-2.

When running in FIPS 140-2 mode, the userland Cryptographic Framework does not enforce the use of FIPS 140-2 validated algorithms. This design choice enables you to apply your own security policy.


Tip  -  To accommodate a legacy system, non-compliant applications, or problem resolution, you can leave all Cryptographic Framework algorithms enabled. For strict enforcement of FIPS 140-2 mode, you should disable non-FIPS 140-2 algorithms in the Cryptographic Framework. For an example, see the final steps in Example of Running in FIPS 140-2 Mode on an Oracle Solaris 11.4 System.

After enabling the providers in FIPS 140-2 mode, you must configure applications and programs to use FIPS 140-2 algorithms.

    The cryptoadm and pktool commands list the algorithms that the Cryptographic Framework supports.

  • To display a complete list of cryptographic mechanisms, use the cryptoadm list -vm command. See the cryptoadm(8) man page.

  • To display the list of curves for ECC algorithms, use the pktool gencert listcurves command. See the pktool(1) man page.

    For information about ECC curves in Oracle Solaris that are FIPS 140-2 validated for Oracle Solaris, see FIPS 140-2 Algorithms in the Cryptographic Framework.

About OpenSSL in FIPS 140-2 Mode in Oracle Solaris

    Oracle Solaris 11.4 ships with FIPS 140-2 capable OpenSSL libraries which statically link to the Oracle OpenSSL FIPS Object Module. Oracle OpenSSL FOM 1.0 is based on the OpenSSL FOM 2.0.13 with the following added features:

  • Default FIPS 140-2 mode, which satisfies the FIPS 140-2 Implementation Guidance (I.G.) 9.10 requirement

  • FIPS 186-4 RSA key generation

  • SPARC hardware acceleration: montmul, AES, DES, SHA

  • Intel AES NI GCM hardware acceleration

For more information, see Oracle OpenSSL FIPS Object Module (https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3335).

When running in FIPS 140-2 mode, OpenSSL enforces the use of FIPS 140-2 validated algorithms. Therefore, applications that use OpenSSL in FIPS 140-2 mode cannot access invalid algorithms.

Hardware Acceleration and FIPS 140-2 Performance

For best performance, consumers of FIPS 140-2 providers should use hardware-accelerated cryptography where possible. The Cryptographic Framework runs with hardware acceleration in FIPS 140-2 mode on the systems listed in Oracle Solaris System Hardware Validated for FIPS 140-2.

For more information, see SPARC Acceleration of Optimized Cryptographic Functions in Managing Encryption and Certificates in Oracle Solaris 11.4. For an example, see Example of Running in FIPS 140-2 Mode on an Oracle Solaris 11.4 System.