28 Enabling compliance with FIPS 140-3 #
FIPS 140-3 is a security accreditation program for validating cryptographic modules produced by private companies. The Federal Information Processing Standards (FIPS) Publication 140 is a series of computer security standards developed by the National Institute of Standards and Technology (NIST) to ensure the quality of cryptographic modules.
If your organization does any work for the United States federal government, your cryptography applications (such as openSSL, GnuTLS and OpenJDK) may be required to comply with Federal Information Processing Standards (FIPS) 140-3. If your organization is not required by compliance rules to run SUSE Linux Enterprise in FIPS mode, it is best to not do it. This chapter provides guidance on enabling FIPS mode, and links to resources with detailed information.
The relevant binaries are currently undergoing FIPS 140-3 certification. Until the certification has been achieved, full FIPS 140-3 compliance cannot be guaranteed.
28.1 FIPS overview #
Every vendor that develops and maintains cryptographic applications and wants them to be tested for FIPS compliance must submit them to the Cryptographic Module Validation Program (CMVP) (see https://csrc.nist.gov/projects/cryptographic-module-validation-program).
The latest FIPS 140-3 standard was approved in March 2019 and replaces 140-2.
28.2 When to enable FIPS mode #
Administering FIPS is complex and requires significant expertise. Implementing it correctly, testing and troubleshooting all require a high degree of knowledge.
Only run your SLES in FIPS mode when it is required to meet compliance rules. Otherwise, we do not recommend running your systems in FIPS mode.
Below are some reasons to not use FIPS mode (if not required explicitly):
FIPS is restrictive. It enforces the use of specific validated cryptographic algorithms and specific certified binaries that implement these validated algorithms. You must use only the certified binaries.
Upgrades may break functionality.
The approval process is very long, so certified binaries are always several releases behind the newest release.
Certified binaries, such as ssh, sshd and sftp-server, run their own self-checks at start-up and run only when these checks succeed. This creates a small performance degradation.
Administering FIPS is complex and requires significant expertise.
28.3 Installing FIPS #
It is best to install the patterns-base-fips pattern on a new installation.
The relevant binaries are currently undergoing FIPS 140-3 certification. Until the certification has been achieved, full FIPS 140-3 compliance cannot be guaranteed.
You may install patterns-base-fips and enable FIPS mode on a running system, you may have to make adjustments, such as regenerating keys and auditing your setup to ensure it is set up correctly.
28.4 Enabling FIPS mode #
The following procedure shows you how to enable FIPs mode:
The crypto-policies-scripts package that provides the
fips-mode-setup
command might not be installed by default. If it is not, you can install the package in a supported way and then enable the kernel FIPS mode, which also sets the system policy to FIPS:>
sudo
fips-mode-setup --enable Setting system policy to FIPS FIPS mode will be enabled. [...] Please reboot the system for the setting to take effect.Reboot and verify the FIPS mode with:
>
sudo
fips-mode-setup --check FIPS mode is enabled. Initramfs fips module is enabled. The current crypto policy (FIPS) is based on the FIPS policy.To disable FIPS mode, run:
>
sudo
fips-mode-setup --disable Setting system policy to DEFAULT FIPS mode will be disabled. [...] Please reboot the system for the setting to take effect.
You can also use the following options:
--no-bootcfg
: The tool does not reconfigure the boot loader but instead prints the options that need to be added to the kernel command line. Exception: It still attempts to executezipl
ons390x
, as the system might become unbootable otherwise.--is-enabled
: Checks the system FIPS mode status and returns a failure error code if disabled (2) or inconsistent (1).
28.5 MD5 not supported in Samba/CIFS #
According to the FIPS standards, MD5 is not a secure hashing algorithm, and it must not be used for authentication. If you run a FIPS-compliant network environment, and you have clients or servers that run in FIPS-compliant mode, you must use a Kerberos service for authenticating Samba/CIFS users. This is necessary as all other Samba authentication modes include MD5.
See the Samba section of the Storage Administration Guide for more information on running a Samba server.
28.6 More information #
For more information, refer to:
Man 8
fips-mode-setup
Man 8
fips-finish-install
Man 7
crypto-policies
Man 8
update-crypto-policies