CIFS Problems with FIPS Implementations

Document ID : KB000100447
Last Modified Date : 13/06/2018
Show Technical Document Details
Introduction:

The CA Identity Suite Virtual Appliance (VAP) lets you deploy the operating system and CA Identity Suite components in FIPS 140-2 mode.  This makes connectivity between components more secure.  However this can interfere with CIFS mounts.

Attempts to mounts a CIFS share in a FIPS enabled environment may result in errors like the one below:

mount error(2): No such file or directory 
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) 

 

Background:

The Federal Information Processing Standards (FIPS) 140-2 publication is a security standard for the cryptographic libraries and algorithms that a product must use for encryption. FIPS 140-2 encryption affects communication of sensitive data between components of CA products, and between CA Products and third-party products. FIPS 140-2 specifies the requirements for using cryptographic algorithms within a security system that protects sensitive, unclassified data.

 

Instructions:
CIFS is not compatible with FIPS.

The CA Identity Suite Virtual Appliance supports mounting of the network drives based on the standard Linux kernel support.  For example: NFS shares, SMB/CIFS shares.  However when FIPS mode is enabled the use of md4 and md5 are disabled which prevents users from using NTLM, NTLMv2 or NTLMSSP authentication. Also signing cannot be used since it uses md5. Any CIFS mount which uses these methods will break when FIPS mode is enabled.

Our recommendation is to use NFS when possible. 

Please refer to the CA Identity Suite 14.2 Virtual Appliance product documentation for further guidance on Mounting Network File Systems.