Enabling FIPS

You can enable or disable FIPS from either:

• EAServer Manager or the standalone Security Manager—“Enabling FIPS mode from EAServer Manager and Security Manager”, or

• jagtool, which is a Java command line management toolkit used in EAServer. jagtool provides a command to enable FIPS. See “FIPS-related jagtool commands”.

If FIPS mode is enabled, EAServer logs the message FIPS 140-2 mode enabled to the console. If the mode is not set, no message is logged.

Enabling FIPS has the following effect on EAServer:

• Permits TLS protocol only by the SSL/TLS runtime engine.

• Permits the use of cipher suites and security characteristics listed in Table 9-2.

• Accepts X.509 certificates signed using a SHA1WithRsa algorithm. Certificates signed with any other algorithm are not accepted and generate an error.

• Other cryptographic functionality that normally employ a non-FIPS approved algorithm now fail. For example, a PKCS #12 certificate containing a private key shrouded (signed) with a pbeWithSHA1And40bitRc4 algorithm fails to import, since RC4 is not a FIPS 140-2-approved algorithm. The private key and public keys must be shrouded using pbeWithSHA1And3KeyTripleDescbc.

Copyright © 2005. Sybase Inc. All rights reserved.

View this book as PDF