In August 2016, the U.S. National Institute of Standards and Technology (NIST) issued two certificates that validate the Cryptographic Framework feature of Oracle Solaris to the FIPS 140-2 Level 1 standard. The Oracle Solaris certificates are numbered 2698 and 2699, and are based on the Oracle Solaris 11.3 SRU 5.6 release.
The OpenSSL module that runs on Oracle Solaris 11.3 was validated for FIPS 140-2 in November 2013 and issued certificate 1747. Any application that uses a FIPS 140-2 validated OpenSSL for its cryptography can use this module. For links to the certificates, see FIPS 140-2 Level 1 Guidance Documents for Oracle Solaris Systems.
FIPS 140-2, a U.S. Federal Information Processing Standard, is a requirement for many regulated industries and U.S. government agencies that process sensitive but unclassified information. The aim of FIPS 140-2 is to provide a degree of assurance that the system has implemented the cryptography correctly. Providing FIPS 140-2 Level 1 cryptography on a computer system is called “running in FIPS 140-2 mode”.
A system that is running in FIPS 140-2 mode has enabled at least one provider of FIPS 140-2 cryptography. Some applications (consumers) call FIPS 140-2 cryptography automatically, for example, the passwd command. Some applications call FIPS 140-2 cryptography providers dynamically, for example, OpenSSH. Other applications run in FIPS 140-2 mode when their provider is enabled and the administrator has configured the application to use FIPS 140-2 cryptography only, for example, Kerberos, IPsec, SunSSH, and the Apache HTTP Server.
Between December 2013 and August 2016, NIST updated FIPS 140-2 cryptography and hardware requirements. These updates changed the validation status of several items in the Cryptographic Framework feature of Oracle Solaris.
The following mechanisms have a status change in the August 2016 FIPS 140-2 validation:
SHA512/224 is validated.
SHA512/256 is validated.
SHA1 and HMAC-SHA1 from libucrypto are validated.
SHA1 and HMAC-SHA1 from the PKCS #11 softtoken store are not validated.
AES-GMAC is not validated.
Software validation is no longer tied to particular hardware, as it was in the December 2013 certificates. For the list of approved hardware, see Oracle Solaris System Hardware Validated for FIPS 140-2.