3 Enabling FIPS 140-2 Consumers on an Oracle Solaris System
To run in FIPS 140-2 mode, applications on your FIPS 140-2-enabled system must use cryptographic libraries that the U.S. government has validated for FIPS 140-2 mode on Oracle Solaris. When FIPS 140-2 providers are enabled, some consumers use FIPS 140-2 algorithms by default, for example, the passwd command. Other consumers require configuration to use only FIPS 140-2 algorithms.
As an administrator, you are responsible for configuring consumers to use FIPS 140-2 algorithms that are validated for Oracle Solaris and for avoiding invalid algorithms. Follow these guidelines:
-
Avoid an algorithm that is available on Oracle Solaris but is not part of the FIPS 140-2 validation for Oracle Solaris, for example, Triple DES.
-
Avoid an algorithm that is part of the FIPS 140-2 certificate for Oracle Solaris but that has a key length shorter than FIPS 140-2 requires, for example, 1024-bit RSA.
-
Avoid an algorithm that is part of the FIPS 140-2 certificate for Oracle Solaris but the consumer cannot use it, for example, Elliptic-Curve Cryptography (ECC) over a Koblitz curve for IKEv2. IKEv2 supports ECC over primes only.
-
Avoid all algorithms that are not part of the FIPS 140-2 certificate for Oracle Solaris but are in the Cryptographic Framework, for example, the
MD5symmetric key algorithm and weaker versions of other symmetric algorithms. -
Applications should call FIPS 140-2 algorithms from the
ucryptolibrary only, even when the same algorithms are available from the PKCS #11 library.
Note:
Any application that cannot use FIPS 140-2 validated algorithms, such as the Internet Key Exchange Protocol Version 1 (IKEv1), should not be run on a FIPS 140-2 system.