By default, FIPS 140-2 mode is disabled in Oracle Solaris. In this procedure, you create a new boot environment (BE) for FIPS 140-2 mode, then enable FIPS 140-2 and boot into the new BE.
Caution - A FIPS 140-2 enabled system runs compliance tests that can cause a panic if they fail. Therefore, you need a BE to boot into while you debug issues with the FIPS 140-2 boundary. |
For an overview of FIPS 140-2, see Using a FIPS 140-2 Enabled System in Oracle Solaris 11.3. See also Cryptographic Sources and FIPS 140-2 and the cryptoadm(1M) man page.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
$ cryptoadm list fips-140 User-level providers: ===================== /usr/lib/security/$ISA/pkcs11_softtoken: FIPS 140 mode is disabled. Kernel software providers: ========================== des: FIPS 140 mode is disabled. aes: FIPS 140 mode is disabled. ecc: FIPS 140 mode is disabled. sha1: FIPS 140 mode is disabled. sha2: FIPS 140 mode is disabled. rsa: FIPS 140 mode is disabled. swrand: FIPS 140 mode is disabled. Kernel hardware providers: =========================:
Before you enable FIPS 140-2 mode, you must first create, activate, and boot a new BE by using the beadm command.
In this example, you create a BE named S11.3-FIPS.
# beadm create S11.3-FIPS-140
# beadm activate S11.3-FIPS-140
If the fips-140 package is not yet loaded, this command also loads the package.
# cryptoadm enable fips-140
For more information about the effects of FIPS 140-2 mode, see Using a FIPS 140-2 Enabled System in Oracle Solaris 11.3 and the cryptoadm(1M) man page.
You can reboot the original BE or disable FIPS 140-2 in the current BE.
$ beadm list BE Active Mountpoint Space Policy Created -- ------ ---------- ----- ------ ------- S11.3 - - 48.22G static 2012-10-10 10:10 S11.3-FIPS-140 NR / 287.01M static 2012-11-18 18:18 # beadm activate S11.1 # beadm list BE Active Mountpoint Space Policy Created -- ------ ---------- ----- ------ ------- S11.3 R - 48.22G static 2012-10-10 10:10 S11.3-FIPS-140 N / 287.01M static 2012-11-18 18:18 # reboot
# cryptoadm disable fips-140
# reboot