FIPS-2 Compliance

FIPS 140–2 Compliance for Database Encryption

On specific platforms, InterSystems IRIS® data platform supports FIPS 140–2 compliant cryptography for database encryption. (FIPS 140–2 refers to Federal Information Processing Standard Publication 140-2, which is available at https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402.pdfOpens in a new tab. )

This version of InterSystems IRIS supports FIPS 140-2–compliant cryptography for database encryption on Red Hat Enterprise Linux 8 for x86-64. Red Hat has certificates of validation for the OpenSSL libcrypto.so and libssl.so libraries. When running in FIPS mode, InterSystems IRIS uses these certified libraries. To determine if a minor version of Red Hat Linux has current certification, consult the Red Hat documentationOpens in a new tab.

Note:

With FIPS mode enabled:

Red Hat 8 supports only TLSv1.2 and TLSv1.3.

For information about Red Hat support for government standards, see https://access.redhat.com/articles/2918071Opens in a new tab.

Important:

InterSystems IRIS does not currently support FIPS mode on Red Hat 9.

Enabling FIPS Support

To enable InterSystems IRIS support for FIPS 140–2 compliant cryptography for database encryption, do the following:

Download and install the openssl package from the RedHat repository (rhel-8-server-rpms).
Enable FIPS mode for the operating system. For these instructions, see the article How can I make RHEL 6/7/8 FIPS 140-2 compliant?Opens in a new tab on the Red Hat web site. (Access to this article requires Red Hat login credentials.)
Check the directory /usr/lib64 for the following symbolic links. If these do not exist, create them:
- The symbolic link libssl.so.1.1 should point to the appropriate file (such as libssl.so.1.1.1g), in the same directory.
- The symbolic link libcrypto.so.1.1 should point to the appropriate file (such as libcrypto.so.1.1.1g), in the same directory.
In InterSystems IRIS, specify the FIPSMode CPF parameter as True (1). To do so:
1. Open the Management Portal.
2. Select System Administration > Configuration > Additional Settings > Startup.
  Here you will see a row for FIPSMode.
3. Specify the value for FIPSMode as True and save your change.
Restart InterSystems IRIS.
Enable and configure encrypted databases as outlined in Using Encrypted Databases.

Startup Behavior and messages.log

When InterSystems IRIS is started:

If FIPSMode is 0, InterSystems IRIS native cryptography is used, including optimized assembly code using Intel AES-NI hardware instructions, if supported by the CPU. In this mode, InterSystems IRIS writes the following to messages.log upon startup:
```
FIPS 140-2 compliant cryptography for database encryption is not configured in iris.cpf
```
If FIPSMode is 1, InterSystems IRIS attempts to resolve references to functions in the /usr/lib64/libcrypto.so FIPS-validated library, and then attempts to initialize the library in FIPS mode. If these steps are successful, InterSystems IRIS writes the following to messages.log:
```
FIPS 140-2 compliant cryptography for database encryption is enabled for this instance.
```
If FIPSMode is 1, but the initialization of the library is unsuccessful, InterSystems IRIS does not start. In this case, messages.log contains the following message:
```
FIPS 140-2 compliant cryptography for database encryption initialization failed. Aborting.
```
On platforms other than lnxrhx64, if FIPSMode is 1, InterSystems IRIS native cryptography is used, and InterSystems IRIS writes the following to messages.log:
```
FIPS 140-2 compliant cryptography for database encryption is not supported on this platform.
```

Cryptographic Standards and RFCs

Additional Encryption Information