The cryptographic applications hosted on SuperCluster rely on the Cryptographic Framework feature of Oracle Solaris, which is validated for FIPS 140-2 Level 1 compliance. The Oracle Solaris Cryptographic Framework is the central cryptographic store for Oracle Solaris, and it provides two FIPS 140–verified modules that support the user-space and kernel-level processes. These library modules provide encryption, decryption, hashing, signature generation and verification, certificate generation and verification, and message authentication functions for applications. User-level applications that call into these modules run in FIPS 140 mode.
In addition to the Oracle Solaris Cryptographic Framework, the OpenSSL object module bundled with Oracle Solaris is validated for FIPS 140-2 Level 1 compliance, which supports the cryptography for applications based on the Secure Shell and TLS protocols. The cloud service provider can choose to enable the tenant hosts with FIPS 140–compliant modes. When running in FIPS 140–compliant modes, Oracle Solaris and OpenSSL, which are FIPS 140-2 providers, enforce the use of FIPS 140– validated cryptographic algorithms.
Also see (If Required) Enable FIPS-140 Compliant Operation (Oracle ILOM).
This table lists FIPS approved algorithms that are supported by Oracle Solaris on SuperCluster M8 and SuperCluster M7.
| ||||||||||||||||||||||||||||||||||||||||||||||||
Oracle Solaris offer two providers of cryptographic algorithms that are validated for FIPS 140-2 Level 1.
The Cryptographic Framework feature of Oracle Solaris is the central cryptographic store on an Oracle Solaris system and provides two FIPS 140 modules. The userland module supplies cryptography for applications that run in user space and the kernel module provides cryptography for kernel-level processes. These library modules provide encryption, decryption, hashing, signature generation and verification, certificate generation and verification, and message authentication functions for applications. User- level applications that call into these modules run in FIPS 140 mode, for example, the passwd command and IKEv2. Kernel-level consumers, for example Kerberos and IPsec, use proprietary APIs to call into the kernel Cryptographic Framework.
The OpenSSL object module provides cryptography for SSH and web applications. OpenSSL is the Open Source toolkit for the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, and provides a cryptography library. In Oracle Solaris, SSH and the Apache Web Server are consumers of the OpenSSL FIPS 140 module. Oracle Solaris ships a FIPS 140 version of OpenSSL with Oracle Solaris 11.2 that is available to all consumers but the version shipped with Oracle Solaris 11.1 is available to Solaris SSH only. Because FIPS 140-2 provider modules are CPU intensive, they are not enabled by default. As the administrator, you are responsible for enabling the providers in FIPS 140 mode and configuring consumers.
For more information on enabling FIPS-140 providers on Oracle Solaris, refer to the document titled Using a FIPS 140 Enabled System in Oracle Solaris 11.2, available under the Securing the Oracle Solaris 11 Operating System heading at: http://docs.oracle.com/cd/E36784_01.