Enabling FIPS compliance

Top  Previous  Next

Encrypted protocols like FTPS, HTTPS, and TCP/SSL have a setting labeled Enable FIPS compliance (see sample below). If this setting is switched ON, administrators will not be allowed to change allowed ciphers, whether through the GUI or administrative API. This setting is ideal for environments that need to comply with regulations requiring 'strong cryptography'. Many of these regulations only allow cryptographic algorithms recommended by duly recognized standards such as the Federal Information Processing Standards (FIPS).

 

 

Figure 89

 

clip089

 

 

Before the FIPS compliance settings can take effect, a couple of things need to be in place. This include the following:

 

• The Bouncy Castle libraries (JAR files that begin with bc*) found in the 'lib' directory of the MFT Gateway installation directory need to be replaced with the libraries found in the 'fips' directory. Create backups of the original bc* files in case you might need them in the future. Once the said files have been replaced, MFT Gateway must be restarted for the changes to apply.

 

• Some headless environments (namely Linux, CentOS, Ubuntu) may suffer from slow-startup time due to entropy issues when using FIPS libraries. It is for this reason that FIPS related libraries were placed in a separate directory rather than including them in the default "libs" directory. A work-around for this issue is to install haveged to ensure that the entropy pool is more quickly populated in headless environments. (Read Installing haveged).

 

Note: RSA and DSA keys should be at least 2048 bits long for FIPS mode to work





Home | Company | Products | Solutions | Purchase | Support | Services | Blog

© 2023 Redwood Software, Inc.