1. Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4
  2. Enabling FIPS 140-2 Providers on an Oracle Solaris System

2 Enabling FIPS 140-2 Providers on an Oracle Solaris System

Because FIPS 140-2 provider modules are CPU intensive, they are not enabled by default. As the administrator, you are responsible for enabling the providers in FIPS 140-2 mode and configuring consumers.

The Oracle Solaris OS offers two providers of cryptographic algorithms that are validated for FIPS 140-2 Level 1:

  • The Cryptographic Framework feature of Oracle Solaris is the central cryptographic store on an Oracle Solaris system and provides two FIPS 140-2 modules. The userland module supplies cryptography for applications that run in user space and the kernel module provides cryptography for kernel-level processes. Both modules can leverage the algorithm acceleration from SPARC and x86 processors when available.

    • The Oracle Solaris Userland Cryptographic Framework module provides cryptography for any application that calls into it. The module provides encryption, decryption, hashing, secure random number generation, signature generation and verification, certificate generation and verification, message authentication functions, and key pair generation for RSA and DSA. User-level applications that call into the userland Cryptographic Framework run in FIPS 140-2 mode, for example, the passwd command and IKEv2.

    • The Oracle Solaris Kernel Cryptographic Framework module provides cryptography for the kernel module. The module provides encryption, decryption, hashing, secure random number generation, signature generation and verification, and message authentication functions. Kernel-level consumers, for example, IPsec, use proprietary APIs to call into the kernel Cryptographic Framework.

  • The OpenSSL object module provides cryptography for all consumers whose code supports FIPS 140-2. After the FIPS 140-2 version of OpenSSL is enabled in your BE, OpenSSL runs in FIPS 140-2 mode and its consumers must use FIPS 140-2 cryptography. For how to enable the FIPS 140-2 version of OpenSSL, see Example of Running in FIPS 140-2 Mode on an Oracle Solaris 11.4 System.

    OpenSSL is the Open Source toolkit for Transport Layer Security (TLS v1.2 and v1.3) industry standard protocols.