7.4.1 Installing the OpenSSL FIPS Object Module

To install the OpenSSL FIPS object module, do the following:

  1. If your system is registered with ULN, log in to ULN and enable the ol6_x86_64_addons channel for the system.

    Alternatively, if you are using the Oracle Linux yum server, you can enable the ol6_addons repository. For example:

    # yum-config-manager --enable ol6_addons
  2. Remove the existing openssl package and install the openssl-fips-1.0.1* package. You can use yum shell to perform these transactions as follows:

    # yum -y shell <<EOF
    remove openssl
    install openssl-fips-1.0.1*
    run
    EOF

    You cannot use separate yum remove and yum install commands as yum itself depends on the OpenSSL library being available.

    Alternatively, download the openssl-fips-1.0.1* package and use the rpm command instead:

    # rpm -e --nodeps openssl
    # rpm -ivh openssl-fips-1.0.1*.rpm
  3. Remove the existing SSH host keys:

    # rm /etc/ssh/ssh_host*

    OpenSSH uses the FIPS-validated OpenSSL library modules to generate new, FIPS-approved keys when the system is next rebooted. (Under FIPS mode, ssh-keygen can create new RSA host keys in /etc/ssh, but not DSA keys, and it displays key fingerprints as SHA1 hashes instead of as MD5 hashes.)

  4. Reboot the system.

    Note

    While the system is rebooting, generate input events by pressing keys at random or by moving the mouse. You should create at least 256 such events to ensure that the system has sufficient entropy available for key generation.