The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
You must enable FIPS mode on Oracle Linux prior to using FIPS validated cryptographic modules. The following procedure describes how to configure Oracle Linux to use only cryptographic algorithms that are FIPS-validated.
Depending on the type of FIPS module that you plan to install, do one of the following:
If you plan to install FIPS validated cryptographic modules for Oracle Linux, ensure that the system is running Oracle Linux 6 Update 9 or later.
If you plan to install the OpenSSL FIPS object module, ensure that the system is Oracle Linux 6 Update 5 or later.
Ensure that your system is registered with the Unbreakable Linux Network (ULN) and that you are subscribed to the
ol6_x86_64_security_validation
andol6_x86_64_latest
channels.If you are using the Oracle Linux yum server, enable the
ol6_security_validation
andol6_latest
repositories as follows:#
yum-config-manager --enable ol6_security_validation ol6_latest
Install the
dracut-fips
package.#
yum install dracut-fips
The
dracut-fips
package provides the modules to build a dracutinitramfs
file system that performs an integrity check.If the system CPU supports AES New Instructions (AES-NI), install the package.
Run the following command to check whether the system supports AES-NI:
#
grep aes /proc/cpuinfo
To install the package:
#
yum install dracut-fips-aesni
Recreate the
initramfs
file system.#
dracut -f
Perform the following steps to configure the
kernel
command line in thegrub.conf
file so that the system boots into FIPS mode:Identify the boot partition and the UUID of the partition, for example:
#
df /boot
Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 508588 294476 214112 58% /boot #blkid /dev/sda1
/dev/sda1: UUID="a305c68f-3e04-4c53-a566-9d67c12ff293" TYPE="xfs"As the
root
user, edit the/etc/grub.conf
file as follows:Add the
fips=1
option to the boot loader configuration.GRUB_CMDLINE_LINUX="vconsole.font=latarcyrheb-sun16 rd.lvm.lv=ol/swap rd.lvm.lv=ol/root crashkernel=auto vconsole.keymap=uk rhgb quiet fips=1"
If the contents of
/boot
reside on a partition other than the root partition, you must use theboot=UUID=
line to the boot loader configuration to specify that the device be mounted onboot_UUID
/boot
when the kernel loads.GRUB_CMDLINE_LINUX="vconsole.font=latarcyrheb-sun16 rd.lvm.lv=ol/swap rd.lvm.lv=ol/root crashkernel=auto vconsole.keymap=uk rhgb quiet boot=UUID=6046308a-75fc-418e-b284-72d8bfad34ba fips=1"
Save the changes.
These steps are required for FIPS to perform kernel validation checks, where it verifies the kernel against the provided HMAC file in the
/boot
directory.NoteOn systems that are configured to boot with UEFI,
/boot/efi
is located on a dedicated partition, as it is formatted specifically to meet UEFI requirements, which does not automatically mean that/boot
is located on a dedicated partition.Only use the
boot=
parameter if/boot
is located on a dedicated partition. If the parameter is specified incorrectly or points to a non-existent device, the system might not boot.If your system is no longer able to boot, you can try to modify the kernel boot options in grub to specify an alternate device for the
boot=UUID=
parameter, or remove the parameter entirely.boot_UUID
Rebuild the GRUB configuration as follows:
On BIOS-based systems, run the following command:
#
grub2-mkconfig -o /boot/grub2/grub.cfg
On UEFI-based systems, run the following command:
#
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
To ensure proper operation of the in-module integrity verification, prelinking must be disabled on all system files.
By default, the
prelink
package is not installed on the system. However, if it is installed, disable prelinking on all libraries and binaries as follows:Set
PRELINKING=no
in the/etc/sysconfig/prelink
configuration file.If the libraries were already prelinked, undo the prelink on all of the system files as follows:
#
prelink –u -a
Reboot the system, then run the following command to verify that FIPS is enabled:
#
cat /proc/sys/crypto/fips_enabled
1A response of
1
indicates that FIPS is enabled.