Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / SUSE Linux Enterprise Micro – Dokumentation  / Security and Hardening Guide / Enabling compliance with FIPS 140-3
Applies to SUSE Linux Enterprise Micro 5.5

4 Enabling compliance with FIPS 140-3

FIPS 140-3 is a security accreditation program for validating cryptographic modules produced by private companies. The Federal Information Processing Standards (FIPS) Publication 140 is a series of computer security standards developed by the National Institute of Standards and Technology (NIST) to ensure the quality of cryptographic modules.

If your organization does any work for the United States federal government, your cryptography applications (such as openSSL, GnuTLS and OpenJDK) may be required to comply with Federal Information Processing Standards (FIPS) 140-3. If your organization is not required by compliance rules to run SUSE Linux Enterprise in FIPS mode, it is best to not do it. This chapter provides guidance on enabling FIPS mode, and links to resources with detailed information.

Important
Important: SUSE Linux Enterprise Micro 15 SP5 and FIPS 140-3

SUSE Linux Enterprise Micro 15 SP5 can run certified binaries of SUSE Linux Enterprise Micro 15 SP4. This process is not automated. You need to install the exact certified version of the packages and make sure not to update them. The certified packages are available in the regular repositories and/or in the Certifications module.

These cryptographic modules, if compatible between both operating systems, are vendor-affirmed, based on the FIPS 140-3 Module Validation Program Management Manual, see section 7.9.1 Vendor, subitem 1.a, i.

4.1 FIPS overview

Every vendor that develops and maintains cryptographic applications and wants them to be tested for FIPS compliance must submit them to the Cryptographic Module Validation Program (CMVP) (see https://csrc.nist.gov/projects/cryptographic-module-validation-program).

The latest FIPS 140-3 standard was approved in March 2019 and replaces 140-2.

4.2 When to enable FIPS mode

Warning
Warning: FIPS requires expertise

Administering FIPS is complex and requires significant expertise. Implementing it correctly, testing and troubleshooting all require a high degree of knowledge.

Only run your SLE Micro in FIPS mode when it is required to meet compliance rules. Otherwise, we do not recommend running your systems in FIPS mode.

Below are some reasons to not use FIPS mode (if not required explicitly):

  • FIPS is restrictive. It enforces the use of specific validated cryptographic algorithms and specific certified binaries that implement these validated algorithms. You must use only the certified binaries.

  • Upgrades may break functionality.

  • The approval process is very long, so certified binaries are always several releases behind the newest release.

  • Certified binaries, such as ssh, sshd and sftp-server, run their own self-checks at start-up and run only when these checks succeed. This creates a small performance degradation.

  • Administering FIPS is complex and requires significant expertise.

4.3 Installing FIPS

To install the FIPS pattern on a running system, proceed as follows:

  1. Install the patterns-microos-fips pattern:

    # transactional-update pkg install -t pattern microos-fips
  2. Reboot your system.

  3. Add the kernel command line parameter fips=1 to the boot loader configuration. To do so, edit the file /etc/default/grub as follows:

    GRUB_CMDLINE_LINUX_DEFAULT="... fips=1...
  4. After logging in to the system, run

    # transactional-update grub.cfg
  5. Reboot your system.

Alternatively, you can install the pattern during the manual installation under Software as described in Abschnitt 12.9, „Installationseinstellungen“. Then adjust the boot loader configuration as described in the procedure above.

Important
Important: Undergoing FIPS 140-3 certification

The relevant binaries are currently undergoing FIPS 140-3 certification. Until the certification has been achieved, full FIPS 140-3 compliance cannot be guaranteed

Note
Note: Installing and enabling FIPS on a running system

If you install and enable the FIPS mode on a running system, you might need to make adjustments, such as regenerating keys and auditing your setup to ensure it is set up correctly.

4.4 Running containers on SLE Micro

If you run SLE Micro in the FIPS mode and you use only the SLE 15 SP4 BCI-based containers, then such a setup can serve as a FIPS-compliant platform. If you intend to run a third party container on SLE Micro, check the container's FIPS compatibility before deploying it.

4.5 MD5 not supported in Samba/CIFS

According to the FIPS standards, MD5 is not a secure hashing algorithm, and it must not be used for authentication. If you run a FIPS-compliant network environment, and you have clients or servers that run in FIPS-compliant mode, you must use a Kerberos service for authenticating Samba/CIFS users. This is necessary as all other Samba authentication modes include MD5.

4.6 More information

For more information, refer to:

  • Man 8 fips-mode-setup

  • Man 8 fips-finish-install

  • Man 7 crypto-policies

  • Man 8 update-crypto-policies