Does CA Directory r12.0SP1 support FIPS 140-2 ciphers?

Document ID : KB000052599
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

CA Directory supports FIPS 140-2 ciphers when the SSL Daemon is configured with the "-fips" parameter. Read the solution for details on how to confirm the supported FIPS ciphers and how to configure the SSL Daemon.

Solution:

The SSL Daemon within CA Directory r12.0 SP1 supports FIPS 140-2 compliant ciphers. Please follow the steps below to install the SSL Daemon in FIPs mode and then to check on the FIPS ciphers.

Installing the SSL Daemon in FIPS mode

To install an SSL Daemon in FIPS mode, you need to add the "-fips" parameter to the end of the "ssld install..." command.

Here is an example of an SSLD install using the default paths and trusted root CA file:

ssld install {ssld-service-name} -certfiles config/ssld/personalities -ca config/ssld/trusted.pem -fips"

Once the command has been entered, you should see the following appear on the screen:

SSLD 'ssld-service-name' configured with the following options
     port 1112
     certfiles config/ssld/personalities
     ca config/ssld/trusted.pem
     debug 3
     threads 0
     protocol TLS
     cipher ALL:!EXPORT40:!ADH
     FIPS 140-2 enabled
Installed ssld-service-name

Checking the FIPS compliant ciphers supported by the SSL Daemon

To confirm what FIPS ciphers are supported, simply issue the following command in at the command prompt (as user "dsa" for unix/linux environments)

"ssld -fips_ciphers"

Here is an example of the expected output:

C:\> ssld -fips_ciphers
DHE-RSA-AES256-SHA         TLSv1 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA         TLSv1 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA                 TLSv1 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES128-SHA         TLSv1 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA         TLSv1 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA                 TLSv1 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA       TLSv1 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA       TLSv1 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA               TLSv1 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1