Certicom Replacement

Certicom software, which provides cryptography services for securing storage and transmission of sensitive information, is no longer supported by SAP^® Sybase^® products. These services have been replaced by alternate providers, as indicated in the documentation for each SAP Sybase product.

OpenSSL is the Adaptive Server^® supported provider on all platforms. For information about OpenSSL, see the OpenSSL Web site at http://www.openSSL.org". Changes due to the provider replacement are:

Certificate Management

These certificate utilities are no longer supported:

certreq
certauth
certpk12

As a replacement, Adaptive Server includes the openssl open source utility in:

(UNIX) $SYBASE/$SYBASE_OCS/bin/openssl
(Windows) %SYBASE%\%SYBASE_OCS%\bin\openssl

Use openssl to accomplish all certificate management tasks previously implemented by certreq, certauth, and certpk12. For information about the use of the openssl utility, go to http://www.openssl.org/docs/apps/openssl.html.

Enabling FIPS Encryption

In previous releases, enabling the FIPS login password encryption parameter specified the use of FIPS 140-2 compliant cryptographic module for the encryption of passwords in transmission, in memory, and on disk. For Adaptive Server 15.7 SP60, enabling this parameter specifies that the FIPS 140-2 compliant cryptographic module is used for all encryption related operations.

Also in previous releases, FIPS Encryption was turned on by default. However, for Adaptive Server 15.7 SP60 it must be explicitly enabled. Client libraries must also enable FIPS to complete FIPS configuration.

Note: FIPS Certification is not supported for IBM AIX and Linux on POWER platforms.

Certificate Generation

OpenSSL in FIPS mode is strictly controlled by OpenSSL security. This means that some certificates that worked with the Certicom FIPS module may no longer work using OpenSSL. In particular, the use of MD5 algorithm is not FIPS 140-2 compliant. Old certificates using this algorithm must be replaced in order to enable the FIPS login password encryption parameter.

When generating a FIPS compliant certificate, FIPS 140-2 compliant algorithms must be used. Private keys must be in pkcs8 format and encrypted with an OpenSSL FIPS 140-2 compliant algorithm. To determine what algorithm is used to encrypt a private key, enter the following command:

openssl asn1parse -in <Encrypted Key Filename> -inform PEM

To convert the key to the proper format use the following command:

openssl pkcs8 -in <Non-FIPS compliant Encrypted Key Filename> 
-topk8 -out <FIPS compliant Encrypted Key Filename>
-v1 PBE-SHA1-3DES

Digital Signature RSA Encryption Algorithms

If RSA encryption algorithms are used for the digital signature, the RSA key size must be at least 1024 bit.

Cipher Support

When configuring FIPS cipher suites, the supported cipher suites have changed. These are the supported cipher suites for FIPS:

TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA