The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.

2.2.11 Enabling FIPS Mode

To make an Oracle Linux Release 6 Update 6 system compliant with Federal Information Processing Standard (FIPS) Publication 140-2, perform the following steps:

  1. Install the dracut-fips package: 

    # yum install dracut-fips

  2. Recreate the initramfs file system: 

    # dracut -f

  3. Identify either the device file path (device) under /dev of your system's boot device or its UUID (uuid) by using ls -l to examine the entries under /dev/disk/by-uuid.

  4. Add either a boot=device entry or a boot=UUID=uuid entry for the boot device to the kernel command line in /etc/grub.conf.

  5. Add a fips=1 entry to the kernel command line in /etc/grub.conf to specify strict FIPS compliance.

  6. Disable prelinking by setting PRELINKING=no in /etc/sysconfig/prelink.

  7. Remove all existing prelinking from binaries and libraries: 

    # prelink -ua

  8. Install the openssh-server-fips and openssh-client-fips packages and their dependent packages: 

    # yum install openssh-server-fips openssh-client-fips

  9. Shut down and reboot the system.

Note

If you specify fips=1 on the kernel command line but omit a valid boot= entry, the system crashes because it cannot locate the kernel's .hmac file.

If you do not disable and remove all prelinking, users cannot log in and /usr/sbin/sshd does not start.

(Bug ID 17759117)

Copyright © 2014, 2021, Oracle and/or its affiliates. Legal Notices