1. Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4
  2. Enabling FIPS 140-2 Providers on an Oracle Solaris System
  3. How to Enable the FIPS 140-2 Providers in Oracle Solaris
  4. About the Cryptographic Framework in FIPS 140-2 Mode

About the Cryptographic Framework in FIPS 140-2 Mode

The Cryptographic Framework implements many cryptographic algorithms with varying key lengths. Each variant of an algorithm is called a mechanism. Not all mechanisms are validated for FIPS 140-2.

When running in FIPS 140-2 mode, the userland Cryptographic Framework does not enforce the use of FIPS 140-2 validated algorithms. This design choice enables you to apply your own security policy.

Tip:

To accommodate a legacy system, non-compliant applications, or problem resolution, you can leave all Cryptographic Framework algorithms enabled. For strict enforcement of FIPS 140-2 mode, you should disable non-FIPS 140-2 algorithms in the Cryptographic Framework. For an example, see the final steps in Example of Running in FIPS 140-2 Mode on an Oracle Solaris 11.4 System.

After enabling the providers in FIPS 140-2 mode, you must configure applications and programs to use FIPS 140-2 algorithms.

The cryptoadm and pktool commands list the algorithms that the Cryptographic Framework supports.

  • To display a complete list of cryptographic mechanisms, use the cryptoadm list -vm command. See the cryptoadm(8) man page.

  • To display the list of curves for ECC algorithms, use the pktool gencert listcurves command. See the pktool(1) man page.

    For information about ECC curves in Oracle Solaris that are FIPS 140-2 validated for Oracle Solaris, see FIPS 140-2 Algorithms in the Cryptographic Framework.