4 Enabling compliance with FIPS 140-3 #
If your organization does any work for the United States federal government, it is likely that your cryptography applications (such as openSSL, GnuTLS, and OpenJDK) will be required to be in compliance with Federal Information Processing Standards (FIPS) 140-3. FIPS 140-3 is a security accreditation program for validating cryptographic modules produced by private companies. If your organization is not required by compliance rules to run SUSE Linux Enterprise in FIPS mode, it is most likely best to not do it. This chapter provides guidance on enabling FIPS mode, and links to resources with detailed information.
SUSE Linux Enterprise Micro 5.3 is in the process of implementing the FIPS 140-3 standard. The relevant binaries are undergoing certification and will be updated in the near future.
For further details, contact your SUSE sales representative.
4.1 FIPS overview #
Every vendor that develops and maintains cryptographic applications, and wants them to be tested for FIPS compliance, must submit them to the Cryptographic Module Validation Program (CMVP) (see https://csrc.nist.gov/projects/cryptographic-module-validation-program).
The latest FIPS 140-3 standard was approved in March 2019 and is replacing 140-2.
4.2 When to enable FIPS mode #
Administering FIPS is complex and requires significant expertise. Implementing it correctly, testing, and troubleshooting all require a high degree of knowledge.
Only run your SLE Micro in FIPS mode when it is required to meet compliance rules. Otherwise, we do not recommend running your systems in FIPS mode.
Below are some reasons to not use FIPS mode (if not required explicitly):
FIPS is restrictive. It enforces the use of specific validated cryptographic algorithms and specific certified binaries that implement these validated algorithms. You must use only the certified binaries.
Upgrades may break functionality.
The approval process is very long, so certified binaries are always several releases behind the newest release.
Certified binaries, such as ssh, sshd and sftp-server, run their own self-checks at start-up, and run only when these checks succeed. This creates a small performance degradation.
Administering FIPS is complex and requires significant expertise.
4.3 Installing FIPS #
To install the FIPS pattern on a running system, proceed as follows:
Install the
patterns-microos-fipspattern:#transactional-update pkg install -t pattern microos-fipsReboot your system.
Add the kernel command line parameter
fips=1to the boot loader configuration. To do so, edit the file/etc/default/grubas follows:GRUB_CMDLINE_LINUX_DEFAULT="... fips=1...After logging in to the system, run
#transactional-update grub.cfgReboot your system.
Alternatively, you can install the pattern during the manual installation under as described in Abschnitt 12.9, „Installationseinstellungen“. Then adjust the boot loader configuration as described in the procedure above.
While the relevant binaries are undergoing certification for FIPS 140-3, the packages are not stable yet. If you need to enable FIPS mode nevertheless, contact your SUSE sales representative.
If you install and enable the FIPS mode on a running system, you might need to make adjustments, such as regenerating keys and auditing your setup to ensure it is set up correctly.
4.4 MD5 not supported in Samba/CIFS #
According to the FIPS standards, MD5 is not a secure hashing algorithm, and it must not be used for authentication. If you run a FIPS-compliant network environment, and you have clients or servers that run in FIPS-compliant mode, you must use a Kerberos service for authenticating Samba/CIFS users. This is necessary as all other Samba authentication modes include MD5.