The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
To make an Oracle Linux 6.9 system compliant with Federal Information Processing Standard (FIPS) Publication 140-2, perform the following steps:
Install the
dracut-fips
package:#
yum install dracut-fips
Recreate the
initramfs
file system:#
dracut -f
Identify either the device file path (
device
) under/dev
of your system's boot device or its UUID (uuid
) by using ls -l to examine the entries under/dev/disk/by-uuid
.Add either a
boot=
entry or adevice
boot=UUID=
entry for the boot device to theuuid
kernel
command line in/etc/grub.conf
.Add a
fips=1
entry to thekernel
command line in/etc/grub.conf
to specify strict FIPS compliance.Disable prelinking by setting
PRELINKING=no
in/etc/sysconfig/prelink
.Remove all existing prelinking from binaries and libraries:
#
prelink -ua
Install the
openssh-server-fips
andopenssh-client-fips
packages and their dependent packages:#
yum install openssh-server-fips openssh-client-fips
Shut down and reboot the system.
If you specify fips=1
on the kernel
command line but omit a valid boot=
entry, the system crashes because it cannot locate the
kernel's .hmac
file.
If you do not disable and remove all prelinking, users
cannot log in and /usr/sbin/sshd
does not
start.
(Bug ID 17759117)