1. Maintenance Guide
  2. Maintaining Exadata Database Servers
  3. Using FIPS mode

2.16 Using FIPS mode

On database servers running Oracle Linux 7 or later, you can enable the kernel to run in FIPS mode.

Starting with Oracle Exadata System Software release 20.1.0, you can enable and disable the Federal Information Processing Standards (FIPS) compatibility mode on Oracle Exadata database servers running Oracle Linux 7 or later.

After you enable or disable FIPS mode, you must reboot the server for the action to take effect.

To enable, disable, and get status information about FIPS mode, use the utility at /opt/oracle.cellos/host_access_control with the fips-mode option:

  • To display the current FIPS mode setting, run:

    # /opt/oracle.cellos/host_access_control fips-mode --status

  • To enable FIPS mode, run:

    # /opt/oracle.cellos/host_access_control fips-mode --enable

    Then, reboot the server to finalize the action.

  • To disable FIPS mode, run:

    # /opt/oracle.cellos/host_access_control fips-mode --disable

    Then, reboot the server to finalize the action.

  • To display information about FIPS mode, run:

    # /opt/oracle.cellos/host_access_control fips-mode --info

The following example shows the typical command sequence and command output for enabling and disabling FIPS mode on a server.

# /opt/oracle.cellos/host_access_control fips-mode --status
[2020-04-14 09:19:45 -0700] [INFO] [IMG-SEC-1101] FIPS mode is disabled

# /opt/oracle.cellos/host_access_control fips-mode --enable
[2020-04-14 09:30:10 -0700] [INFO] [IMG-SEC-1107] Using only FIPS compliant
SSH host keys and sshd configuration updated in /etc/ssh/sshd_config
[2020-04-14 09:30:10 -0700] [INFO] [IMG-SEC-1103] FIPS mode is set to
enabled. A reboot is required to effect this change.

# /opt/oracle.cellos/host_access_control fips-mode --status
[2020-04-14 09:30:14 -0700] [INFO] [IMG-SEC-1101] FIPS mode is configured but
not activated. A reboot is required to activate.

# reboot

...

# /opt/oracle.cellos/host_access_control fips-mode --status
[2020-04-14 09:23:15 -0700] [INFO] [IMG-SEC-1103] FIPS mode is configured and
active

# /opt/oracle.cellos/host_access_control fips-mode --disable
[2020-04-14 09:40:37 -0700] [INFO] [IMG-SEC-1103] FIPS mode is set to
disabled. A reboot is required to effect this change.

# /opt/oracle.cellos/host_access_control fips-mode --status
[2020-04-14 09:40:37 -0700] [INFO] [IMG-SEC-1103] FIPS mode is disabled but
is active. A reboot is required to deactivate FIPS mode.

# reboot

...

# /opt/oracle.cellos/host_access_control fips-mode --status
[2020-04-14 09:46:22 -0700] [INFO] [IMG-SEC-1101] FIPS mode is disabled

Parent topic: Maintaining Exadata Database Servers