FIPS

From Dogtag
Jump to: navigation, search

Operating System

Enabling FIPS Mode

To enable FIPS mode:

$ fips-mode-setup --enable
$ reboot

To enable FIPS mode manually:

  • dnf install dracut-fips
  • reboot
  • press 'e' on the grub config menu to 'edit' the selected kernel
  • add "fips=1" to the end of the boot line, or when multiple disks/partitions are involved (e. g. - "fips=1 boot=/dev/sda1")
  • Ctrl-x to boot with FIPS mode enabled

Alternatively, see the following pages:

Verifying FIPS Mode

To verify FIPS mode:

$ fips-mode-setup --check
FIPS mode is enabled.

or:

$ sysctl crypto.fips_enabled
crypto.fips_enabled = 1

or:

$ cat /proc/sys/crypto/fips_enabled
1

OpenSSL

NSS

Enabling FIPS Mode in NSS Database

To enable FIPS mode:

$ modutil -dbdir nssdb -fips true

To check FIPS status:

$ modutil -dbdir nssdb -chkfips true
FIPS mode enabled.

To list NSS modules in FIPS mode:

$ modutil -dbdir nssdb -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
          uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34
        slots: 1 slot attached
       status: loaded

        slot: NSS FIPS 140-2 User Private Key Services
       token: NSS FIPS 140-2 Certificate DB
         uri: pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
-----------------------------------------------------------

Note: The internal token name in FIPS mode is "NSS FIPS 140-2 Certificate DB".

Password Requirements

In FIPS mode the NSS database password must be a strong password, e.g. Secret.123.

Java

Tomcat

Crypto Policies

References