The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
To install the OpenSSL FIPS object module, do the following:
If your system is registered with ULN, log in to ULN and enable the
ol6_x86_64_addons
channel for the system.Alternatively, if you are using the Oracle Linux yum server, you can enable the
ol6_addons
repository. For example:#
yum-config-manager --enable
ol6_addons
Remove the existing
openssl
package and install theopenssl-fips-1.0.1*
package. You can use yum shell to perform these transactions as follows:#
yum -y shell <<EOF remove openssl install openssl-fips-1.0.1* run EOF
You cannot use separate yum remove and yum install commands as yum itself depends on the OpenSSL library being available.
Alternatively, download the
openssl-fips-1.0.1*
package and use the rpm command instead:#
rpm -e --nodeps openssl
#rpm -ivh openssl-fips-1.0.1*.rpm
Remove the existing SSH host keys:
#
rm /etc/ssh/ssh_host*
OpenSSH uses the FIPS-validated OpenSSL library modules to generate new, FIPS-approved keys when the system is next rebooted. (Under FIPS mode, ssh-keygen can create new RSA host keys in
/etc/ssh
, but not DSA keys, and it displays key fingerprints as SHA1 hashes instead of as MD5 hashes.)Reboot the system.
NoteWhile the system is rebooting, generate input events by pressing keys at random or by moving the mouse. You should create at least 256 such events to ensure that the system has sufficient entropy available for key generation.