K Enabling FIPS 140-2 in Oracle AVDF

Learn about enabling FIPS 140-2 in Oracle AVDF.

K.1 About FIPS and Oracle AVDF

FIPS (Federal Information Processing Standards) is a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, by government contractors, and vendors who work with these agencies.

FIPS publications are issued by the National Institute of Standards and Technology (NIST). The publication entitled Security Requirements for Cryptographic Modules (FIPS 140-2) specifies the security requirements over several key areas that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information.

You can enable FIPS 140-2 for the following Oracle AVDF components only:

  • Audit Vault Server: Enabling FIPS on the Audit Vault Server turns on FIPS mode in the embedded Oracle Linux operating system and Oracle Database.
  • Database Firewall: Enabling FIPS 140-2 on the Database Firewall turns on FIPS mode in the embedded Oracle Linux operating system.

Tip:

Before enabling FIPS 140-2, ensure that your SSH keys are compliant with FIPS. If your SSH keys are not compliant with FIPS, the SSH connection with the appliance might be lost after enabling FIPS.

K.2 Enabling FIPS 140-2 on the Audit Vault Server

Enable FIPS on the Audit Vault Server to turn on FIPS mode in the embedded Oracle Linux operating system and Oracle Database.

Note:

For Oracle AVDF on Oracle Cloud Infrastructure (OCI), before enabling FIPS mode, ensure that the opc user has FIPS-compliant keys registered to /home/opc/.ssh/authorized_keys.

  1. Log in to Audit Vault Server console as a super administrator.
  2. Click the Settings tab.

    The Security tab in the left navigation menu is selected by default.

  3. Click the FIPS subtab on the main page.
  4. Click the toggle switch to enable FIPS 140-2. The toggle switch is green when it's on.
  5. Click Save.

    A message says that the Audit Vault Server will reboot and prompts you to continue or cancel.

  6. Click OK to continue to enable FIPS 140-2 for Audit Vault Server. Otherwise, click Cancel.

The Audit Vault Server restarts and is unavailable for several minutes. Don't attempt to access the Audit Vault Server console during this period. Close the browser and open a new tab or window to log in to the Audit Vault Server console.

Note:

  • To disable FIPS 140-2 mode for the Audit Vault Server, click the toggle switch on the FIPS subtab.
  • For Oracle AVDF on OCI, if SSH access becomes disabled after enabling FIPS mode, log into the Audit Vault Server console and disable FIPS mode. Then log back into the appliance through SSH and update the user keys for opc in /home/opc/.ssh/authorized_keys to be compliant with FIPS. It can take several minutes for the console to become available after enabling or disabling FIPS mode.

  • In a high availability configuration, enabling FIPS 140-2 mode for the primary Audit Vault Server also enables FIPS 140-2 mode for the standby Audit Vault Server. Similarly, disabling FIPS mode for the primary Audit Vault Server also disables it for the standby Audit Vault Server.

K.3 Enabling FIPS 140-2 in Database Firewall

Learn how to enable FIPS 140-2 in Database Firewall.

  1. Log in to Audit Vault Server console as super administrator.
  2. Click Database Firewalls tab. The Database Firewalls tab in the left navigation menu is selected by default.
  3. Click the name of the specific Database Firewall instance for which you want to enable FIPS 140-2.
  4. Click FIPS under the Configuration section. A dialog is displayed.
  5. In the dialog, turn on the toggle switch to enable FIPS 140-2. The toggle switch turns green when it is turned on.
  6. Click Save. A message pops that Database Firewall will reboot and prompts you to continue or cancel.
  7. Click OK to continue to enable FIPS 140-2 for the Database Firewall instance. Else, click Cancel.

    The Database Firewall instance is restarted and is unavailable for some time.

  8. Wait for a while, and navigate back to the Database Firewalls tab in the left navigation menu.
  9. Check the status of FIPS 140-2 mode under the column FIPS Mode against the specific Database Firewall instance.

K.4 Enabling FIPS 140-2 for Database Firewall Instances in High Availability

Learn how to enable FIPS 140-2 for Database Firewall instances in high availability configuration.

Prerequisites

  • At least two instances of Database Firewall must be configured for high availability.
  • The FIPS 140-2 status of both the Database Firewall instances must either be Off or On. FIPS 140-2 mode can be disabled or enabled on both the Database Firewall instances. In case, these two instances have different FIPS mode, then an error message is displayed on the screen.
  1. Log in to Audit Vault Server console as super administrator.
  2. Click Database Firewalls tab. The Database Firewalls tab in the left navigation menu is selected by default.
  3. Click High Availability tab in the left navigation menu. All the Database Firewall instances that are configured in high availability are listed in the main page.
  4. The names of paired Database Firewall instances are listed under the Primary and Secondary columns on the main page. Select the specific pair of Database Firewall instances for which you want to enable FIPS.
  5. Click FIPS in the top right corner of the page. A dialog is displayed.
  6. Turn on the toggle switch to enable FIPS 140-2. The toggle switch turns green when it is turned on.
  7. Click Save button. A message pops that the Database Firewall instances will reboot and prompts you to continue or cancel.
  8. Click OK to continue to enable FIPS 140-2 for the Database Firewall instances. Else, click Cancel.

    The Database Firewall instances are restarted and are unavailable for some time.

  9. Wait for a while and check the status of FIPS 140-2 mode under the column FIPS Mode against the paired Database Firewall instances.

K.5 Verify the Status After Enabling FIPS 140-2 for Database Firewall Instances in High Availability

Learn how to verify or check the status after enabling or disabling FIPS 140-2 for the Database Firewall instances configured in high availability.

  1. Log in to Audit Vault Server console as super administrator.
  2. Click Settings tab.
  3. Click System tab in the left navigation menu.
  4. Click Jobs under the Monitoring section. The Jobs dialog is displayed.
  5. The recent jobs are listed on the top. Else, rearrange to locate the job that is specific to enabling or disabling the FIPS 140-2 mode for the Database Firewall instances configured in high availability.
  6. Verify the status is Completed. Else, click the Job Details icon to the extreme left of the specific job.
  7. The Job Status Details dialog is displayed. It contains detailed information on the list of events pertaining to the job triggered.

K.6 Enabling FIPS 140-2 for Database Firewall Instances in High Availability Deployed in Proxy Mode

Learn how to enable FIPS 140-2 for Database Firewall instances in high availability deployed in proxy mode.

Prerequisite

At least two instances of Database Firewall must be configured for high availability in proxy mode.

Steps to be followed for enabling or disabling FIPS 140-2 for all Database Firewall instances that are part of high availability and deployed in Monitoring / Blocking (Proxy) mode:

  1. All the Database Firewall instances that are part of high availability must have the same FIPS 140-2 mode. They should either be enabled for FIPS 140-2 or disabled (On or Off).
  2. To enable or disable FIPS 140-2 for every Database Firewall instance follow the procedure in section Enabling FIPS 140-2 in Database Firewall.
  3. After following the previous step, ensure all the Database Firewall instances that are part of high availability should have the same FIPS 140-2 mode (either On or Off).

    Note:

    Inconsistent behavior is expected if Database Firewall instances are in different FIPS 140-2 modes (some of them having FIPS 140-2 enabled and some of them disabled).