Go to main content

Managing Encryption and Certificates in Oracle® Solaris 11.3

Exit Print View

Updated: December 2018
 
 

Creating a Boot Environment With FIPS 140-2 Enabled

By default, FIPS 140-2 mode is disabled in Oracle Solaris. In this procedure, you create a new boot environment (BE) for FIPS 140-2 mode, then enable FIPS 140-2 and boot into the new BE.


Caution

Caution  - A FIPS 140-2 enabled system runs compliance tests that can cause a panic if they fail. Therefore, you need a BE to boot into while you debug issues with the FIPS 140-2 boundary.


For an overview of FIPS 140-2, see Using a FIPS 140-2 Enabled System in Oracle Solaris 11.3. See also Cryptographic Sources and FIPS 140-2 and the cryptoadm(1M) man page.

How to Create a Boot Environment With FIPS 140-2 Enabled

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Determine whether the system is in FIPS 140-2 mode.
    $ cryptoadm list fips-140
    User-level providers:
    =====================
    /usr/lib/security/$ISA/pkcs11_softtoken: FIPS 140 mode is disabled.
    
    Kernel software providers:
    ==========================
    des: FIPS 140 mode is disabled.
    aes: FIPS 140 mode is disabled.
    ecc: FIPS 140 mode is disabled.
    sha1: FIPS 140 mode is disabled.
    sha2: FIPS 140 mode is disabled.
    rsa: FIPS 140 mode is disabled.
    swrand: FIPS 140 mode is disabled.
    
    Kernel hardware providers:
    =========================:
  2. Create a new BE for your FIPS 140-2 version of the Cryptographic Framework.

    Before you enable FIPS 140-2 mode, you must first create, activate, and boot a new BE by using the beadm command.

    1. Create a BE based on your current BE.

      In this example, you create a BE named S11.3-FIPS.

      # beadm create S11.3-FIPS-140
    2. Activate that BE.
      # beadm activate S11.3-FIPS-140
    3. Reboot the system.
    4. Enable FIPS 140-2 mode in the new BE.

      If the fips-140 package is not yet loaded, this command also loads the package.

      # cryptoadm enable fips-140

      Note - This subcommand does not disable the non-FIPS 140-2 approved algorithms from the user-level pkcs11_softtoken library and the kernel software providers. The consumers of the framework are responsible for using only FIPS 140-2 approved algorithms.

      For more information about the effects of FIPS 140-2 mode, see Using a FIPS 140-2 Enabled System in Oracle Solaris 11.3 and the cryptoadm(1M) man page.


  3. (Optional) To run without FIPS 140-2 enabled, disable FIPS 140-2 mode.

    You can reboot the original BE or disable FIPS 140-2 in the current BE.

    • Boot the original BE.
      $ beadm list
      BE               Active Mountpoint Space   Policy Created
      --               ------ ---------- -----   ------ -------
      S11.3            -      -          48.22G   static 2012-10-10 10:10
      S11.3-FIPS-140   NR     /          287.01M  static 2012-11-18 18:18
      # beadm activate S11.1
      # beadm list
      BE               Active Mountpoint Space   Policy Created
      --               ------ ---------- -----   ------ -------
      S11.3            R      -          48.22G   static 2012-10-10 10:10
      S11.3-FIPS-140   N      /          287.01M  static 2012-11-18 18:18
      # reboot
    • Disable FIPS 140-2 mode in the current BE and reboot.
      # cryptoadm disable fips-140

      Note -  FIPS 140-2 mode remains in operation until the system is rebooted.
      # reboot