FIPS Compliant Libaries

Similar Messages

• FIPS-compliant SSL as client in XI 7.0

  Hello experts,
  I am configuring an RFC destination in SM59 to send data to an external system via HTTPS.
  The partner requires FIPS 140 compliant cryptography (which means TLSv1 cipher suites) - or else they deny the SSL request.  Everything I have seen thus far shows SSLv3 as the highest encryption level supported in this scenario.
  Wondering if anyone out there has encountered something similar, and if TLSv1 is supported at all in this sort of integration scenario.
  FYI - SAP XI 7.0 SPS 16,  SAPCRYPTOLIB =  5.5.5.C pl22

  Hi
  Unfortunately, the SAP Cryptographic Module is not FIPS compliant and at the moment there are no immediate plans to make it FIPS compliant.
  If you have any further queries regarding this issue you can contact the SAP Security team directly via the email: security at sap.com.                                                       
  Regards
  Mark

• System cryptography: Use FIPS compliant cryptographic algorithms, including encryption, hashing and signing algorithms

  Hi,
  I have enabled FIPS compliant algorithms,including encryption, hashing and signing algorithms in (Windows server 2012 R2 ), after enabling. My SSIS package is not working and i am not able open my SSRS also.
  So can any one assist in this.
  Surendran.G
  Regards, Surendran.G

  Hi,
  in latest security recommendation guides it is no longer recommended to use this setting (because it breaks a lot of stuff...).
  http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx
  Consider turning it off if  you do not have strict resuirements for it.
  otherwise, You will have to investigate you code. SQL server forums would be the appropirate place to get help in troublesooting your code.
  MCP/MCSA/MCTS/MCITP

• FIPS. Can you configure a FIPS compliant ASA to reject any non-FIPS Anyconnect connections

  Hi guy's, is there any way to automagically refuse any Anyconnect connections to a FIPS compliant ASA if the Anyconnect client is non-FIPS compliant?
  Any help, thoughts or ideas are greatly appreciated as I can't seem to find anything to suggest you can.   
  Kind regards
  Paul.

  You enable FIPS compliance for the core AnyConnect Security Mobility  Client in the local policy file on the user computer. This file is an  XML file containing security settings, and is not deployed by the ASA.  The file must be installed manually or deployed to a user computer using  an enterprise software deployment system. You must purchase a FIPS  license for the ASA the client connects to.
  AnyConnect Local Policy parameters reside in the XML file AnyConnectLocalPolicy.xml.  This file is not deployed by the ASA. You must deploy this file using  corporate software deployment systems or change the file manually on a  user computer.
  You can get more information from following link:-
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/release/notes/anyconnect24rn.html#wp1028083
  HTH!!
  Regards,
  Naresh

• FIPS compliant encrypted backup

  Is an encrypted backup from OS X 10.8 on a Time Capsule (2011) FIPS compliant if you have enabled FileVault2 encryption and installed the FIPS cryptography packages from Apple ? (http://support.apple.com/kb/HT4603)

  Below is the URL that lists the products that are FIPS, Common Criteria, etc, compliant. I dont see 4500 under FIPS but do see it under CC, which is in progress.
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_audience_business_benefit0900aecd8009a16f.html#fips
  Regards,
  Arul
  ** Please rate helpful posts **

• FIPS Compliant

  Is the software for the Catalyst 4500E FIPS compliant? If so, what is the software version.

  Below is the URL that lists the products that are FIPS, Common Criteria, etc, compliant. I dont see 4500 under FIPS but do see it under CC, which is in progress.
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_audience_business_benefit0900aecd8009a16f.html#fips
  Regards,
  Arul
  ** Please rate helpful posts **

• Does SunJDK support fips compliant?

  I could see IBM JCE has FIPS compliant. Can we have samething for SUN. I would appreciate if I get the ans as early as possible.
  We are in process of ceritifying fips compliant.
  Thanks in advance!
  Regards,
  Tamil.

  Thanks a lot!! for your quick reponse.
  Here is the snippet .....
  public class HashKey {
  public static SecretKey generateSHA1Key() {
  SecretKey skey = null;
  try {
  KeyGenerator keyGen = KeyGenerator.getInstance("HmacSHA1");
  skey = keyGen.generateKey();
  catch (NoSuchAlgorithmException ex) {
  System.out.println(ex);
  return skey;
  public static void main(String[] args) {
  // check args and get plaintext
  //args[1] = "/work2/tamil/test";
  if (args.length !=1) {
  System.err.println
  ("Usage: java HmacSHA1KeyGenerator filename");
  System.exit(1);
  writeKeyToFile("hmacsha1key",generateSHA1Key());
  public static void writeKeyToFile(String fname , SecretKey key)
  try {
  File f = new File(fname);
  FileOutputStream fout = new FileOutputStream(f);
  fout.write(key.getEncoded());
  fout.close();
  System.out.println("key written successfully to: " + f.getAbsolutePath());
  catch (IOException ex) {
  System.out.println(ex);
  works find If use SunJCE or IBMJCE getting an exception, when I try to use
  security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
  security.provider.2=com.ibm.crypto.provider.IBMJCE
  security.provider.3=com.ibm.jsse.IBMJSSEProvider
  security.provider.4=com.ibm.security.cert.IBMCertPath
  security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11
  security.provider.6=com.ibm.security.jgss.IBMJGSSProvider
  this configuration with IBM JCE ... inside our driver also we are trying to use the same kind of snippet.

• Problem in using NSS fips mode for SunPKCS11

  Hello,
  I am trying to develop a FIPS compliant application using NSS as security provider for SunPKCS11. But when I was trying to run a simple testing program, I ran into the following problem:
  - If I have the following providers specified in java.security, everything is fine
  security.provider.1=sun.security.pkcs11.SunPKCS11 /var/nss_test/pkcs11.cfg
  security.provider.2=sun.security.provider.Sun
  - If I remove the provider "sun.security.provider.Sun", then the following exception is thrown out:
  Caught exception at ks.load
  java.security.cert.CertificateException: X.509 not found
  at java.security.cert.CertificateFactory.getInstance(Unknown Source)
  at sun.security.pkcs11.P11KeyStore.loadCert(P11KeyStore.java:1193)
  at sun.security.pkcs11.P11KeyStore.mapLabels(P11KeyStore.java:2429)
  at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:746)
  at java.security.KeyStore.load(Unknown Source)
  at SimpleTest.main(SimpleTest.java:13)
  Caused by: java.security.NoSuchAlgorithmException: X.509 CertificateFactory not available
  at sun.security.jca.GetInstance.getInstance(Unknown Source)
  ... 6 more
  I attached my setup details and testing program in the end.
  Has anyone else also run into this kind of problem? Can someone offer some solutions/suggestions?
  To be FIPS compliant, I think SunPKCS11-NSSfips should be the only security provider available in the system. If having other non-FIPs certified provider such as "sun.security.provider.Sun" in the system, then the FIPS compliance cannot be guaranteed.
  There is a known problem in mapping the JCA keystore interface onto NSS's model of PKCS #11 modules, therefore someone suggested one should use JSS directly, instead of using SunPKCS11. If that is the case/only choice, it would be very disappointing....
  Am I missing something?
  Thanks,
  JL
  =================================
  The setup details and testing program:
  1) The cfg file "/var/nss_testing/pkcs11.cfg"
  name = NSSfips
  nssLibraryDirectory = /usr/lib
  nssSecmodDirectory = /var/nss_test/fips_db
  nssModule = fips
  2) The NSS fips security databases were created using the NSS tools "certutil" and "modutil".
  3) Testing program
  import java.security.*;
  import java.io.*;
  import java.util.*;
  public class SimpleTest {
  public static void main(String[] args){
  //load keystore
  char[] password = "myfips".toCharArray();
  try {
  KeyStore ks = KeyStore.getInstance("PKCS11");
  ks.load(null, password);
  } catch (Exception e) {
  System.out.println( "Caught exception at ks.load");
  e.printStackTrace();
  System.exit(1);
  }

  Hi user598986!
  OK, I understood that there is a problem with your code. But please would you be so kindly to tell us here what error exactly happens (the errormessage). Mabay after that someone will be able to help you.
  yours sincerely
  Florian W.
  P.S. If you enclose your code into tags it will be shown formated.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

• MBAM 2.5 FIPS Compliance Windows 7 SP1

  The only reference I can find with regards to FIPS and Windows 7 with MBAM is in the planning guide which says
  Supporting BitLocker Protectors -  Numerical password - applied automatically as part of volume encryption and does not need to be configured except in FIPS mode on Windows 7
  So, if I want to use MBAM in a FIPS compliant mode do I just need to enable the use of numerical password?  Or do I also need to make sure that the storage of recovery information is then disabled?
  Thanks

  For Win7, you would enable FIPS via GPO before encrypting, and then make sure you set up a DRA for recovery.

• Setting FIPS compliance on Windows 2008 R2 RDP

  We have 2 diffent GPO for setting FIPS.
  We add Group Policy (under Computer Configuration\Windows Settings\Security Settings\LocalPolicies\Security Options) or through the "FIPS Compliant" setting in Remote Desktop
  Session Host Configuration. 
  This works for RDP in a TEST OU.
  FIPS compliance can be configured through the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" setting in Group Policy (under Computer
  Configuration\Windows Settings\Security Settings\Local Policies\Security Options) or through the "FIPS Compliant" setting in Remote Desktop Session Host Configuration. The FIPS Compliant setting encrypts and decrypts data sent from the client to
  the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140-1 encryption algorithms, using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers
  require the highest level of encryption. If FIPS compliance is already enabled through the Group Policy "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" setting, that setting overrides the encryption
  level specified in this Group Policy setting or in the Remote Desktop Session Host Configuration tool.
  But, we have legacy GPO that sets the RDP to HIGH encryption.  It overwrites the FIPS Compliant for RDP. and RDP is only HIGH encryption.

  Install nmap then, Go to this link:
  http://nmap.org/svn/scripts/rdp-enum-encryption.nse
  copy the script and run from dos
  example:
  nmap -p 3389 --script rdp-enum-encryption <ip>replace <ip> with your server IP or DNS name. Script will display the encrption level.Example of script output:PORT     STATE SERVICE3389/tcp open  ms-wbt-server| rdp-enum-encryption:|   Security layer|     CredSSP: SUCCESS|     Native RDP: SUCCESS|     SSL: SUCCESS|   RDP Encryption level: High|     128-bit RC4: SUCCESS|_    FIPS 140-1: SUCCESS
  Thanks,
  MikeV
  MCSE 2012

• Steps to enable FIPS mode

  I have been looking around for a good SUN documentation on enabling java in fips mode.
  The below link is not satisfactory to get going and enable fips mode.
  http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/FIPS.html
  Can anybody share detailed documentaion or steps to enable java in fips mode.
  Thanks,
  Edited by: Sanj_M on Feb 2, 2010 1:35 AM

  1. How do I get a FIPS compliant provider.From a FIPS-compliant JCE provider vendor.
  2. The doc mentions two options to configure the provider
  Where will JSSE look for the configured provider.I believe it is jre/lib/ext but the vendor will tell you.
  3. How to test my application for FIPS complianceWell you could try to do any of the things described in the document you derided, such as enabling SSLv3 or a non-compliant protocol, and ensure that exceptions are thrown. However it is up to the vendor to provide you with a compliance certificate - this isn't something you need to test.

• This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms

  Hi Guys,
  I am just going to jump right into it.
  We are using Kaseya for our IT management and with this we have the acronis backup system.
  On one of the servers (Main DC) we are getting the error below.
  The Server runs Windows Server 2008 R2 Standard.
  Backup failed - Backup process could not start because of the following error: This implementation is not part of the Windows Platform FIPS validated cryptographic
  algorithms. at System.Security.Cryptography.SHA256Managed..ctor() at SHAHashing.SHAHashing.CalculateSHA256(String text) at SHAHashing.SHAHashing.HashAndUnmask(String encryptedText, String keyMaskString) at KaseyaBackupCmd.KaseyaBackupCmd.GetUnmaskedPassword(String
  user, String coverPass, VSAEncryptionAlgorithm encryptionType) at KaseyaBackupCmd.KaseyaBackupCmd.DetermineNetworkPasswordToUse(String user, String coverPass, VSAEncryptionAlgorithm encryptionType, String acronisEncryptPath, String kaseyaTempDirectory, String&
  passwordToUse, NetworkPasswordType& passwordType) at KaseyaBackupCmd.KaseyaBackupCmd.RunVolumeBackup() at KaseyaBackupCmd.Program.Run(String[] args)
  We have no Idea how to fix this.  We looked at multiple articles regarding changing the registry and the web.config file etc. but we cannot seem to resolve it.
  Regards

  On Thu, 26 Jun 2014 07:39:56 +0000, Johan Eckart Yzelle wrote:
  I checked the GPO and System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing is disabled however MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy is set to 1.
  How do i change the registry under windows settings > security settings > local policies > security options?
  Enable it, run gpupdate /force, confirm that the value is still 1, disable
  it, run gpupdate /force and then confirm that it is now set to 0.
  Paul Adare - FIM CM MVP
  Being a social outcast helps you stay concentrated on the really important
  things, like thinking and hacking. -- Eric Raymond

• FIPS mode: only SunJSSE TrustManagers may be used

  Hi,
  I want to used a custom trust manager that accepts self-signed certificates as valid, and delegates to the SunJSSE TrustManager for other certificates. I also want to use SunJSSE's experimental FIPS mode with SunPKCS11-NSS provider.
  I cannot do both, since in the FIPS mode, the SunJSSE requires that only its internal TrustManager be used. Why is this required?
  Is there any alternative for this? I want to make sure the self-signed certificates are accepted.
  Thanks,
  Shyamal

  I cannot do both, since in the FIPS mode, the SunJSSE requires that only its internal TrustManager be used. Why is this required?Because self-signed certificates aren't FIPS-compliant?
  I don't know about FIPS mode but in the ordinary case you don't need a custom TrustManager to accept a self-signed certificate. You just need it in your truststore.

• Anyconnect for OSX disconnects with FIPS warning

  Hi, I've recently set up an IOS based SSL VPN on a 1900 series router.  When I log in with the Windows client (ver 3.1.04066), I have no issues.  When I log in with the OSX client (ver 3.1.04066) I get an error about the endpoint not being FIPS compliant, at which point it drops the VPN connection.
  Any help here would be appreciated.

  I sorted it out.  There appears to be an issue with the 3.1.04066 OSX client.  I downgraded to 3.1.04063 and everything works just fine.

• Lync FIPS 140-2 encryption for Data in Transit Certificate?

  I work for an organization that has deployed Lync 2013 throughout the enterprise. 
  We have no need for “Data at Rest” encryption on the servers or clients at this time, but we do have a customer requirement for FIPS 140-2 encryption for “Data in Transit”?  Does Lync provide data in transit encryption utilizing one of the National
  Institute of Standards and Technology (NIST) approved modules by default? If so, have all the traffic types been “Certified” compliant (i.e. Server-to-Server, Client-to-Server, IM, Audio, Video, Desktop Sharing, web conferencing, etc…)? 
  I’ve read all the technet articles and looked at the following links, but it is not clear to me. 
  I cannot find the certification number and certificate for the FIPS 140-2 validation for Lync's encryption module on either the Microsoft or NIST websites.
  http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
  https://technet.microsoft.com/en-us/library/security/cc750357.aspx

  Lync Server 2013 and Microsoft Exchange Server 2010 Service Pack 1 (SP1) operate with support for Federal Information Processing Standard (FIPS) 140-2 algorithms if the Windows Server 2008 R2 operating systems
  are configured to use the FIPS 140-2 algorithms for system cryptography. To implement
  FIPS support, you must configure each server running Lync Server 2013 to support it. For details about
  FIPS-compliant algorithms and how to implement
  FIPS support, see Microsoft Knowledge Base article 811833, "System cryptography: Use
  FIPS compliant algorithms for encryption, hashing, and signing security setting in Windows XP and in later versions of Windows at
  <linktext xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">http://go.microsoft.com/fwlink/p/?linkid=3052&kbid=811833</linktext>. For details about
  FIPS 140-2 support and limitations in Exchange 2010, see "Exchange 2010 SP1 and Support for
  FIPS Compliant Algorithms" at
  <linktext xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">http://go.microsoft.com/fwlink/p/?linkId=205335</linktext>.
  For More information on FIPS in Lync server 2013 
  http://technet.microsoft.com/en-us/library/jj205114.aspx 
  http://technet.microsoft.com/en-us/library/jj205084.aspx 
  Please remember, if you see a post that helped you please click ;Vote As Helpful" and if it answered your question please click "Mark As Answer" Regards Edwin Anthony Joseph