Is PhoneFactor compliant with FIPS 140-2 Security Level 1?
Hi, I'm looking for a "hard token" two-factor authentication solution for a medical application. I have a firm external requirement that the hard token used must "meet FIPS 140-2 Security Level 1 for cryptographic devices."
Given that a cell phone is not a cryptographic device, per se, can I assume that use of PhoneFactor would not meet this requirement? Or would it?
Thanks,
-Dennis
Windows Azure Multi-Factor Authentication (formerly PhoneFactor) has not been FIPS 140-2 certified because FIPS 140-2 doesn't apply to the solution.
Has there been any updates on expanding Azure and getting it FIPS 140-2 certified?
Similar Messages
-
SunJCE compliant to FIPS-140-2 standard or not?
Hi Folks,
I am using encryption/ decryption (DES and AES) in my project .
For that I am using javax.crypto and javax.crypto.spec package and the security provider used is SUNJCE.
Please let me know whether JDK is compliant to the FIPS 140-2 standard or not. If it is compliant , also let me know from which version of JDK onwards it will compliant to that standard.
Look forward your reply soon.
Thanks
R.RavikumarHi ,
Thanks for your immediate response. I really appriciate that.
I search in the google and found that IBM's versions of JSSE and JCE have been FIPS 140-2 certified, and are FIPS 140-2 compliant.
I can see the same in the below link
http://csrc.nist.gov/cryptval/140-1/1401vend.htm
And I didn't see the SunJCE in the above link and it seems that Sun's versions of JSSE and JCE are not FIPS 140-2 cmpliant.
Also I see the link which you have pointed out in the earlier, it seems JCE of JDK1.6 is compliant to FIPS 140-2.
I am really confused, Please let me know your thoughts on that.
Look forward your response.
Thanks
R.Ravikumar -
Help with asp ... security levels
I made a change to the security level for the end user. i add
a security feature by adding 12345 to their security level.
<%@LANGUAGE="VBSCRIPT"%>
<%Option Explicit%>
<%
'check to see if the page is submitted
Dim validLogin
Dim strErrorMessage
Dim intLevel
Dim sLevel
If (Request.Form("uname")<>"") Then
'user has submitted the form
'get the entered values and hit the database
Dim strUserName
Dim strPassword
'going to use an implicit connection, no connection object
needed
Dim objRS
strUserName = UCase(Request.Form("uname"))
strPassword = UCase(Request.Form("pwd"))
response.write("strUserName")
'prepare the RS
Set objRS = Server.CreateObject("ADODB.Recordset")
'set the sql statement
objRS.Source = "SELECT * FROM tblEmployee WHERE
strEmpUserName = '" & strUserName & "' AND strEmpPassword =
'" & strPassword & "'"
' heres the implicit connection
objRS.ActiveConnection =
"Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=c:\Inetpub\db\IMPCustomers.mdb"
objRS.CursorType = 0
objRS.CursorLocation = 3
objRS.Open
'check for EOF
If(objRS.EOF) Then
'no records matched, invalid login
Response.Redirect("invalidLogin.asp")
'strErrorMessage = "Invalid Login. Try Again."
validLogin = false
Else
'added intLevel to add more security on 3/29/07
intLevel = Cint(objRS("intEmpSecurityLevel"))
intLevel = intLevel + 12345
sLevel = intLevel
'valid login, set session variables
Session("username") = UCase(strUserName)
Session("userpass") = UCase(strPassword)
Session("sLevel") = sLevel
'Session("sLevel") = objRS("intEmpSecurityLevel") - changed
to add more security on 3/29/07
Session("fn") = objRS("strEmpFN")
'release the RS
Set objRS.ActiveConnection = Nothing
Set objRS = nothing
'redirect off this page
Response.Redirect("custSearch.asp")
End If
End If
%>
I'm now having trouble removing the 12345 from their security
level in the custSearch.asp.
<%@LANGUAGE="VBSCRIPT"%>
<%Option Explicit%>
<%
Dim strUserName
Dim strPassword
Dim intSLevel
Dim isum
Dim intS
Dim intNewSLevel
Dim sLevel
Dim strFN
Dim strErrorMessage
Dim strError
'get pass parameters
strUserName = Session("username")
strPassword = Session("userpass")
intSLevel = Session("sLevel")
'add on 3/29/07 for security
'get the security level
isum = sLevel
'take isum which contains sLevel and subtract 12345 from it
isum = isum - 12345
'now intS equals security level in the db
intS = isum
'put into a session
Session("intS") = intS
strFN = Session("fn")
strErrorMessage = ("strError")
'If strErrorMessage = "" Then
'strError = "There is no customer with that last name."
'End If
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN" "
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="
http://www.w3.org/1999/xhtml">
<head>
<title>Employee Intranet - Customer Database, Search
for a particular customer.</title>
<meta http-equiv="content-type" content="text/html;
charset=utf-8" />
<link rel="stylesheet" type="text/css"
href="../css/pop_style.css" />
<link rel="stylesheet" type="text/css"
href="../css/forms.css" />
<style type="text/css">
/* HMTL selectors start here */
h2 {
margin-bottom:15px;
p {
margin-bottom:20px;
hr {
border:thin;
border-color:#CCCCCC;
border-style:dotted;
width:100%;
text-align:center;
table {
width:300;
align:center;
cellpadding:2px;
cellspacing:2px;
margin-left:30%;
td {
font-size:14px;
font-style:normal;
font-weight:normal;
border:0;
padding:0;
/* HMTL selectors start here */
/* ID selectors start */
#mainText {
height:400px;
font-family:Arial, Helvetica, sans-serif;
font-size:14px;
text-align:left;
margin-left:1%;
margin-right:1%;
padding: 10px 5px;
word-spacing:1px;
letter-spacing:1px;
/* id ends here */
</style>
<script language="JavaScript" type="text/JavaScript">
<!-- function MM_reloadPage(init) { //reloads the window
if Nav4 resized if (init==true) with (navigator) {if
((appName=="Netscape")&&(parseInt(appVersion)==4)) {
document.MM_pgW=innerWidth; document.MM_pgH=innerHeight;
onresize=MM_reloadPage; }} else if (innerWidth!=document.MM_pgW ||
innerHeight!=document.MM_pgH) location.reload(); }
MM_reloadPage(true); //-->
</script>
</head>
<body>
<!-- CASCADING POPUP MENUS v5.2 by Angus Turnbill
http://www.twinhelix.com -->
<script language="javascript" type="text/javascript"
src="../js/pop_core.js"></script>
<script language="javascript" type="text/javascript"
src="../js/pop_data.js"></script>
<!-- border begins here -->
<div id="border">
<!-- second nav start here -->
<div id="secNavBar"><a
href="../index.htm">Home</a> | <a
href="../htm/quality.htm">Quality</a>
| <a href="../htm/contactUs.htm">Contact
Us</a> | <a
href="../htm/siteMap.htm"> Site
Map</a></div>
<!-- logo starts here -->
<div id="logo">
<img src="../art/NewLogo.jpg" alt="Logo of IMPulse NC,
INC." usemap="#Map" />
<map name="Map" id="Map">
<area shape="rect" coords="5,3,280,74"
href="../index.htm" alt="Return to home page" />
</map>
</div>
<!-- primary navigation div tags starts here -->
<div id="priNav">
<a id="home" name="home"
style="visibility:hidden;">Home</a>
<!-- primary navigation div tags ends here -->
</div>
<!-- main text starts here -->
<div id="mainText">
<h2>Customer Database </h2>
<p
style="font-size:14px;font-style:normal;font-weight:normal;">Welcome
<%=strFN%></p>
<p
style="font-size:14px;font-style:normal;font-weight:normal;">Please
search for a customer by using the fields below. You can use one
field or multiple fields for your search.</p>
<!-- signIn form starts here -->
<div id="signIn">
<div id="CSearch">
<table>
<form action="results.asp" method="post" name="search"
id="search">
<tr>
<td width="98" height="29">Last Name:</td>
<td width="150" tabindex="1"><input type="text"
name="clname" size="25" maxlength="25" /></td>
</tr>
<tr>
<td height="30">First Name:</td>
<td tabindex="2"><input type="text" size="25"
maxlength="25" name="cfname" /></td>
</tr>
<tr>
<td height="30">Company:</td>
<td tabindex="3"><input type="text" size="25"
maxlength="25" name="ccomp" /></td>
</tr>
<tr>
<td height="48" colspan="2" tabindex="4">
<input type="submit" name="login" value="Submit" />
<input type="reset" name="Reset" value="Reset" />
<a href="logOut.asp">
<input type="button" name="logOut" value="Log Out" />
</a> </td>
</tr>
</form>
</table>
<!-- customer search form ends here -->
</div>
<blockquote> </blockquote>
<!-- signIn form ends here -->
</div>
<!-- main text ends here -->
</div>
<div id="btm_Bar">
100 IMPulse Way • Mount Olive, North Carolina 28365
• Main (919) 658-2200 • Fax (919) 658-2268<br />
©2006 IMPulse NC, Inc. All Rights Reserved. </div>
</div>
<script language="javascript" type="text/javascript"
src="../js/pop_events.js"></script>
<!-- Places text blinker in the uname text box thru
javascript -->
<script language="javascript" type="text/javascript">
document.search.clname.focus();
</script>
<!-- javascript ends here -->
<%
Response.Write(Session("username")) & "<br />"
Response.Write(Session("userpass")) & "<br />"
Response.Write(Session("sLevel")) & "<br />"
Response.Write(Session("intS")) & "<br />"
%>
</body>
</html>
What am I doing wrong?"pqer" <[email protected]> wrote in message
news:eugsik$kt5$[email protected]..
> What am I doing wrong?
1. You're allowing unfiltered user input into your SQL query.
I could do
some horrible damage to your system.
2. You have SELECT * in your query.
3. You're doing something that doesn't make any sense. Why
add a constant
to the security level just to subtract it again when you
actually want to
use it? You're just making more work for yourself. There is
no benefit
there. -
Error when installing certificate - FIPS-140 compliance.
Hi,
I am having an issue installing a certificate on my LaserJet M750 printer. The error is: "The cryptographic algorithms used in the ID or CA certificate do not comply with FIPS-140."
We can recreate the issue by:
converting cert and key to pfx
selecting "Networking"
login
selecting "Certificates"
selecting "Configure under Jetdirect Certificate".
selecting "Import Certificate and Private Key".
selecting "Browse" and choosing converted pfx file.
provide password and select finish.
Any help is greatly appreciated. I can provide more information if necessary.
Thanks!
BLIf your phone doesn't work (can't turn on), try a hard reset.Turn off your phone. Press and hold three keys together, the green, the * key, and the number 3.Then turn on your phone and don't let the keys before you see the nokia hands logo (or the formatting screen).
If you want to thank someone, just click on the blue star at the bottom of their post -
SafeGuard PrivateDisk FIPS 140-2 compliant?
Hello. Got a new client that needs a laptop that complies with FIPS 140-2. It appears that SafeGuard Easy has indeed been awarded the necessary validation but I can't figure out if Thinkvantage's PrivateDisk is compliant as well.
Is there a ThinkPad (with or without ThinkVantage) available that utilizies certified 140-2 encryption?
ThanksI believe that the UC500 itself is not certified, but all the components that make it (IOS, IPSEC, encrypted voice, etc) are there and are certified.
http://www.cisco.com/web/strategy/government/security_certification/net_business_benefit_seccert_fips140.html -
Changing Default Security Levels
I have several Windows 7 Enterprise machines that have already been deployed via image and need to lower the security settings for use on internal web based applications.
Is there an easy way to manipulate the configuration (a file) so that I may simply make the changes by overwriting the current configuration settings instead of, having to go to each device, opening the Java console, and changing the security settings that way?
I have attempted to login as the machine administration, make the changes on the Java console with the hopes this configuration would have migrated to all user profiles that log into the PC. Is there a "public profile" configuration file I can change and if so, what should I do.
Thank you in advance for the assistanceCreate a "deployment.properties" file with the line "deployment.security.level=HIGH" (or what ever level you need that is supported by your version of Java) and save it in "C:/Windows/Sun/Java/Deployment/" (assuming windows client device).
More in depth info found below:
Deployment Configuration File and Properties -
Java 8 64 bit on Windows with NSS for FIPS 140 compliance
I have asked this question on Stackoverflow but I am beginning to think that this may be a better forum to ask.
According to JEP 131, Java 8 should provide a PKCS#11 Crypto provider for 64 bit Windows: https://blogs.oracle.com/mullan/entry/jep_131_pkcs_11_crypto.
With that in mind, I downloaded and built both 32 and 64 bit versions of NSS with NSPR using these instructions: https://developer.mozilla.org/en-US/docs/NSS_Sources_Building_Testing
I downloaded Java 8 for Windows 64 build b118, configured the java.security file and created a nss.cfg file:
Excerpt from java.security file:
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
security.provider.10=sun.security.pkcs11.SunPKCS11 /devel/nss.cfg
From my nss.cfg file:
# Use NSS as a FIPS-140 compliant cryptographic token
# SunPKCS11-NSS
name = NSS
#32 bit
#nssLibraryDirectory = C:\devel\nss\nss-3.15.3.1\dist\WINNT6.1_DBG.OBJ\lib
#64 bit
nssLibraryDirectory = C:\devel\nss\nss-3.15.3.1\dist\WINNT6.1_64_DBG.OBJ\lib
#non FIPS
#nssDbMode = noDb
#attributes = compatibility
#FIPS
nssSecmodDirectory = c:\devel\fipsdb
nssModule = fips
I ran the test suite that comes with NSS and it looks like all of the encryption/decryption tests passed (did have some issues with the tests that required hostname/domainname but that has to do with the Windows environment).
So here is the problem. I run my test encryption app on Java 7 32 bit with the 32 bit version of NSS and everything works great. When I attempt to run Java 8 64 bit with 64 bit NSS I get the following error:
java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:212)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at sun.security.jca.ProviderConfig$2.run(Unknown Source)
at sun.security.jca.ProviderConfig$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
at sun.security.jca.ProviderConfig.getProvider(Unknown Source)
at sun.security.jca.ProviderList.getProvider(Unknown Source)
at sun.security.jca.ProviderList.getIndex(Unknown Source)
at sun.security.jca.ProviderList.getProviderConfig(Unknown Source)
at sun.security.jca.ProviderList.getProvider(Unknown Source)
at java.security.Security.getProvider(Unknown Source)
at sun.security.ssl.SunJSSE.<init>(Unknown Source)
at sun.security.ssl.SunJSSE.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.Provider.<init>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at sun.security.jca.ProviderConfig$2.run(Unknown Source)
at sun.security.jca.ProviderConfig$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
at sun.security.jca.ProviderConfig.getProvider(Unknown Source)
at sun.security.jca.ProviderList.getProvider(Unknown Source)
at sun.security.jca.ProviderList$ServiceList.tryGet(Unknown Source)
at sun.security.jca.ProviderList$ServiceList.access$200(Unknown Source)
at sun.security.jca.ProviderList$ServiceList$1.hasNext(Unknown Source)
at javax.crypto.KeyGenerator.nextSpi(KeyGenerator.java:323)
at javax.crypto.KeyGenerator.<init>(KeyGenerator.java:158)
at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:208)
at STSAESEncryption.generateKeyWithGenerator(STSAESEncryption.java:74)
at Main.main(Main.java:24)
Caused by: java.io.IOException: %1 is not a valid Win32 application.
at sun.security.pkcs11.Secmod.nssLoadLibrary(Native Method)
at sun.security.pkcs11.Secmod.initialize(Secmod.java:210)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:207)
... 36 more
Has JEP 131 been implemented with Windows/Java 64 bit as of b119? If so has it been verified to work with NSS or should I submit a bug report? I did download the code and the error is occurring in the following block of code at the line in bold (also with the arrow by it):
public synchronized void initialize(DbMode dbMode, String configDir,
String nssLibDir, boolean nssOptimizeSpace) throws IOException {
if (isInitialized()) {
throw new IOException("NSS is already initialized");
if (dbMode == null) {
throw new NullPointerException();
if ((dbMode != DbMode.NO_DB) && (configDir == null)) {
throw new NullPointerException();
String platformLibName = System.mapLibraryName("nss3");
String platformPath;
if (nssLibDir == null) {
platformPath = platformLibName;
} else {
File base = new File(nssLibDir);
if (base.isDirectory() == false) {
throw new IOException("nssLibDir must be a directory:" + nssLibDir);
File platformFile = new File(base, platformLibName);
if (platformFile.isFile() == false) {
throw new FileNotFoundException(platformFile.getPath());
platformPath = platformFile.getPath();
if (configDir != null) {
File configBase = new File(configDir);
if (configBase.isDirectory() == false ) {
throw new IOException("configDir must be a directory: " + configDir);
File secmodFile = new File(configBase, "secmod.db");
if (secmodFile.isFile() == false) {
throw new FileNotFoundException(secmodFile.getPath());
if (DEBUG) System.out.println("lib: " + platformPath);
---> nssHandle = nssLoadLibrary(platformPath);
if (DEBUG) System.out.println("handle: " + nssHandle);
fetchVersions();
if (supported == false) {
throw new IOException
("The specified version of NSS is incompatible, "
+ "3.7 or later required");
if (DEBUG) System.out.println("dir: " + configDir);
boolean initok = nssInitialize(dbMode.functionName, nssHandle,
configDir, nssOptimizeSpace);
if (DEBUG) System.out.println("init: " + initok);
if (initok == false) {
throw new IOException("NSS initialization failed");
this.configDir = configDir;
this.nssLibDir = nssLibDir;
Any help or advise about filing a bug report would be appreciated.
Thanks,Had a few similar short system freezes, after installing Windows 8 x64 on 13” MacBook Pro Mid-2010 with BootCamp 5.0.5033.
There is a suggestion that DisableDynamicTick may fix the problem: https://discussions.apple.com/message/21565295#21565295. There were similar topics at Microsoft forums: 1, 2, 3. It was said “that this will likely reduce system battery life, so it should be undone when you update your Windows build or if it doesn't resolve your issue”, and that “this problem is resolved in the release versions of Windows 8”.
Another possibility is that there is indeed a buggy driver, within BootCamp 5.0.5033, or a 3rd party, like a wireless network driver in the following case http://answers.microsoft.com/en-us/windows/forum/windows_8-performance/system-fr eeze-randomly-after-installing-windows-8/49488183-26cf-4389-af21-a85dc366c99a?pa ge=2#LastReply.
The problem has been noticeable on my MacBook, but not annoying enough yet to spend time troubleshooting. If you find a robust solution, using the links above or other method, it would be interesting to know.
HTH -
Are JSSE or JCE FIPS 140 compliant ?
I have looked throught as much documentation as I can handle trying to find out if these packages are FIPS 140 compliant. I cannot find anything. I have looked at the web page http://csrc.nist.gov/cryptval/140-1/140val-all.htm and do not see anything from Sun as being approved. This is unfortunate and suprising to me that Sun has not put their own code through the approval process. Therefore I am unable to use the JSSE and JCE, and must use RSA BSAFE, which costs a fortune.
Can anyone shed some light on this topic.
...Thank you.
MarkI looked into this issue extensively last fall as we have a requirement
to use a NIST certified encryption algorithm. At that time, the
descriptions of Cert#s 247 & 248 in the table at
http://csrc.nist.gov/cryptval/140-1/140val-all.htm looked very
different. In fact, a reference to
http://www.mozilla.org/projects/security/pki/nss/ appeared in the
description as a means of obtaining a copy of NSS. I downloaded a
version of NSS and attempted to use it (along with the JSS package
also available at the mozilla site). After experimenting with NSS and
JSS for some time, I just could not get it to work (can't recall now
exactly what the issues were at that time).
We abandoned the NSS approach with the expectation of obtaining a
temporary exemption of this requirement; however, this requirement has
now come full circle and is back on my plate. If we have to purchase
a third-party tool, so be it; however, it would sure be nice to hear
from the source exactly what, if anything, is occurring with regards
to NIST certification. Thanks.
-Mark
I have looked throught as much documentation as I can
handle trying to find out if these packages are FIPS
140 compliant. I cannot find anything. I have looked
at the web page
http://csrc.nist.gov/cryptval/140-1/140val-all.htm and
do not see anything from Sun as being approved. This
is unfortunate and suprising to me that Sun has not
put their own code through the approval process.
Therefore I am unable to use the JSSE and JCE, and
must use RSA BSAFE, which costs a fortune.
Can anyone shed some light on this topic.
...Thank you.
Mark -
Is the UC560 FIPS 140-2 compliant?
I have a DoD office looking to go VoIP but according to DoD it must meet FIPS 140-2 requirements:
4.1.2.1. Encrypting unclassified voice is
desirable; voice packets across an
Internet protocol (e.g., VoIP) shall use encryp
tion that is validated as meeting FIPS 140-2
requirements.I believe that the UC500 itself is not certified, but all the components that make it (IOS, IPSEC, encrypted voice, etc) are there and are certified.
http://www.cisco.com/web/strategy/government/security_certification/net_business_benefit_seccert_fips140.html -
FIPS 140-1 and FIPS 140-2 cryptographic module certification
Has Apple submitted its 128-bit AES encryption module to the Cryptographic Standards and Validation Programs at NIST for certification? If so, and even if under another vendor's name, has it been certified and thus could I have the validation certificate # and module name?
I work for a Federal agency that requires that on-disk encryption of protected information be done so with a FIPS 140 certified module in FIPS 140-compliant operation. I fear having to stop using my Macintoshes and having to switch to Windows XP in order to comply.Hi, Courtney. Welcome to the Discussions.
See Apple's "IT Pro - Government" page. If you don't find what you need there, there's a link to e-mail the Apple Federal Security Team re: FIPS 140-2.
Good luck!
Dr. Smoke
Author: Troubleshooting Mac® OS X -
Does anybody have experience with this security standard? We have a combination of mobile vehicles and fixed sites on a test grid. All are using either BR350's or WGB350's. We have 3 towers with one tower accessing the post LAN. All towers are using BR350's set up in root mode. The backbone between the towers are using Proxim QuickBridge 60's (1400 series were not available at the time).
We are planning on setting up more grids in the future, but need to comply with the FIPS 140-2 standard. Any DOD expertise out there?
Thanks
TomThe only wireless-specific products I'm aware of are Fortress technology's AirFortress (which the army is using) and Cranite Sysems WirelessWall (which West Point is using. As far as I know those are AP to client solutions.
For you situation yu may want to you a VPN concentrator and a site-to-site VPN. See this link for current Cisco gear that is FIPS-140:
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/networking_solutions_audience_business_benefit0900aecd8009a16f.html#fips -
NSS FIPS 140-2 encryption for Glassfish App Server on Windows
We would like to configure Java such that our web service communications will be encrypted in a manner that is FIPS 140-2 compliant.
I see here that Sun has achieved success in compliance testing in conjunction with the NSS libraries from Mozilla:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm#814
I found Andrea's excellent blog which took me through steps in setting up the ..\jre\lib\security\java.security file and in setting up the nss.cfg file:
http://blogs.sun.com/andreas/entry/elliptic_curve_cryptography_in_java
However, when I go to the download of Mozilla \ NSS the latest releases only provide the C code tar bundles. The latest release that provided the binaries for Windows was 3.11 and that was for Windows NT.
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_RTM/
I was therefore hoping that someone might have a step-by-step such that I could create these binaries for Windows XP and Windows Vista. Or even better someone might know of a site where I could download them.
Other information: Our installation of Glassfish also has Metro installed.
Thanks for any help or advice.Again you are a winner!
I found certutil and modutil under C:\Mozilla\nss-3.12.4-with-nspr-4.8\mozilla\dist\WINNT5.1_DBG.OBJ\bin and the -N -d . was exactly what I needed.
I found this blog: http://blogs.sun.com/arnabold/entry/jks_nss_and_glassfish It is a little dated but I need to somehow get Glassfish start-up to recognize my keystore as FIPS.
The error that I am seeing when I attempt to start GlassfishV2.1 from Netbeans is:
CORE5076: Using [Java HotSpot(TM) Client VM, Version 1.6.0_13] from [Sun Microsystems Inc.]
Using MQ RA for Broker lifecycle control
SEC1002: Security Manager is OFF.
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.enterprise.server.PELaunch.main(PELaunch.java:415)
Caused by: java.lang.ExceptionInInitializerError
at com.sun.enterprise.security.SecurityLifecycle.onInitialization(SecurityLifecycle.java:101)
at com.sun.enterprise.server.ApplicationServer.onInitialization(ApplicationServer.java:262)
at com.sun.enterprise.server.ondemand.OnDemandServer.onInitialization(OnDemandServer.java:103)
at com.sun.enterprise.server.PEMain.run(PEMain.java:399)
at com.sun.enterprise.server.PEMain.main(PEMain.java:336)
... 5 more
Caused by: java.lang.IllegalStateException: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-NSS
at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:128)
... 10 more
Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-NSS
at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:44)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
at com.sun.enterprise.security.SSLUtils.initKeyManagers(SSLUtils.java:320)
at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:106)
... 10 more
I am hoping perhaps someone can tell me how to overcome this one, or point me to a blog that would provide instructions.
Thanks again for your help. -
Lync FIPS 140-2 encryption for Data in Transit Certificate?
I work for an organization that has deployed Lync 2013 throughout the enterprise.
We have no need for “Data at Rest” encryption on the servers or clients at this time, but we do have a customer requirement for FIPS 140-2 encryption for “Data in Transit”? Does Lync provide data in transit encryption utilizing one of the National
Institute of Standards and Technology (NIST) approved modules by default? If so, have all the traffic types been “Certified” compliant (i.e. Server-to-Server, Client-to-Server, IM, Audio, Video, Desktop Sharing, web conferencing, etc…)?
I’ve read all the technet articles and looked at the following links, but it is not clear to me.
I cannot find the certification number and certificate for the FIPS 140-2 validation for Lync's encryption module on either the Microsoft or NIST websites.
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
https://technet.microsoft.com/en-us/library/security/cc750357.aspxLync Server 2013 and Microsoft Exchange Server 2010 Service Pack 1 (SP1) operate with support for Federal Information Processing Standard (FIPS) 140-2 algorithms if the Windows Server 2008 R2 operating systems
are configured to use the FIPS 140-2 algorithms for system cryptography. To implement
FIPS support, you must configure each server running Lync Server 2013 to support it. For details about
FIPS-compliant algorithms and how to implement
FIPS support, see Microsoft Knowledge Base article 811833, "System cryptography: Use
FIPS compliant algorithms for encryption, hashing, and signing security setting in Windows XP and in later versions of Windows at
<linktext xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">http://go.microsoft.com/fwlink/p/?linkid=3052&kbid=811833</linktext>. For details about
FIPS 140-2 support and limitations in Exchange 2010, see "Exchange 2010 SP1 and Support for
FIPS Compliant Algorithms" at
<linktext xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">http://go.microsoft.com/fwlink/p/?linkId=205335</linktext>.
For More information on FIPS in Lync server 2013
http://technet.microsoft.com/en-us/library/jj205114.aspx
http://technet.microsoft.com/en-us/library/jj205084.aspx
Please remember, if you see a post that helped you please click ;Vote As Helpful" and if it answered your question please click "Mark As Answer" Regards Edwin Anthony Joseph -
Is DBMS_CRYPTO FIPS 140-2 certified?
Sadly, I think that the answer is no. I am hoping someone more knowledgeable can contradict me. This link describes the Oracle Database FIPS certification status.
http://www.oracle.com/technology/deploy/security/seceval/oracle-fips140-validations.html.
This is the linked to certificate which applies to Oracle Cryptographic Libraries for SSL.
http://www.oracle.com/technology/deploy/security/seceval/pdf/140crt861.pdf
I have found nothing that includes DBMS_CRYPTO under Oracle Cryptographic Libraries for SSL. This link might imply that it is not, but I am unclear what might apply to DBMS_CRYPTO.
http://www.oracle.com/technology/deploy/security/as_security/sslfipsfaq_r1.html
Is Oracle Advanced Security’s SSL adapter also included in this FIPS evaluation?
No. Oracle SSL libraries that is only included in Oracle Application Server 10g (9.0.4) alone has received this FIPS 140-2 certification. We are considering evaluation of the Oracle SSL libraries included in the Oracle Database at the earliest.
So in summary, it appears that Oracle has gone through the work to certify the Java libraries, but not the PL/SQL library.
TIA
Edited by: rmonical on May 26, 2009 4:12 PMThe best source of Oracle online documentation is http://tahiti.oracle.com.
If you go there and search, I did it under 10gR2, for "FIPS" you will find a tremendous amount of material with respect to the Oracle Database and FIPS.
And unless I misunderstand your question you are totally incorrect.
The Oracle database is in full compliance with FIPS 127-2. -
I work for a court reporting firm, small business. We deal with real time steongraphy and utilize a wireless network in the courtroom to send the feed. We've recently been asked to provide a FIPS 140-2 validated network (providing the NIST valdiated cryptographic module utilized) for this service. It seems that most routers that provide this on the market are very expensive. Any advice on which routers could provide this at the most moderate price? Feeds are usually connected by less than 10 laptops in an open air room, no need for a large coverage range.
Hi and welcome to the forum!
From all the material I have read you cannot change the password storage mechanism for Oracle. You can see the FIPS feature availability by looking through the Advanced Security Guide for your version at http://tahiti.oracle.com
Maybe you are looking for
-
Two objects claim ownership of UID: U3615 Class: Text Frame
Hi guys, since i updated today i can't save my project file anymore. Getting an error when i try to save saying: Two objects claim ownership of UID: U3615 Class: Text Frame Is there a way to fix it or did i lose all my progress from today? That would
-
DAC configuration problem.
I am trying to configure DAC to connect but am receiving an error. I have installed: Oracle db 11gR1 OBIEE 10.1.3.4 informatica 8.6.0 BI APPS 7.9.6.1 DAC 10.1.3.4 running on windows 7 ultimate x32 (installed in xp compatibility mode) All is working c
-
Problem with adding text to photos in PE6 on my iMac
I can't seem to add text to any photo. I have a new iMac, installed PE6, and all other features seem to be working fine. I even reset all tools to default just to be sure I didn't tweak something. When I click on the Text tool and click on a photo, a
-
Please help in Clock-in ESS Workflow
Hello all, Please help me to solve this issue. I had done this thing for clock in/out Work flow. Create a custom transaction calling report program RPTCORAPP and selection screen 1000.(ZPT_APPROVE) 2. Create another custom transaction(Z
-
IPhone 6 Plus Gold 64 bit on the Edge Plan and Delivery Date?
After reading a ton of the posts, a lot of people are saying that they are receiving confirmations that their phones are shipping Friday. I ordered mine 3am CST (that's how long it took the pages to load). My screen said delivery by Friday the 19th