The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.

2.2.22 Enabling FIPS Mode

To make an Oracle Linux 6.9 system compliant with Federal Information Processing Standard (FIPS) Publication 140-2, perform the following steps:

  1. Install the dracut-fips package: 

    # yum install dracut-fips

  2. Recreate the initramfs file system: 

    # dracut -f

  3. Identify either the device file path (device) under /dev of your system's boot device or its UUID (uuid) by using ls -l to examine the entries under /dev/disk/by-uuid.

  4. Add either a boot=device entry or a boot=UUID=uuid entry for the boot device to the kernel command line in /etc/grub.conf.

  5. Add a fips=1 entry to the kernel command line in /etc/grub.conf to specify strict FIPS compliance.

  6. Disable prelinking by setting PRELINKING=no in /etc/sysconfig/prelink.

  7. Remove all existing prelinking from binaries and libraries: 

    # prelink -ua

  8. Install the openssh-server-fips and openssh-client-fips packages and their dependent packages: 

    # yum install openssh-server-fips openssh-client-fips

  9. Shut down and reboot the system.

Note

If you specify fips=1 on the kernel command line but omit a valid boot= entry, the system crashes because it cannot locate the kernel's .hmac file.

If you do not disable and remove all prelinking, users cannot log in and /usr/sbin/sshd does not start.

(Bug ID 17759117)

Copyright © 2021, Oracle and/or its affiliates. Legal Notices