FIPS 140–2 Compliance for Caché Database Encryption
On specific platforms, Caché supports FIPS 140–2 compliant cryptography for database encryption. (FIPS 140–2 refers to Federal Information Processing Standard Publication 140-2, which is available at https://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdfOpens in a new tab. )
Supported Platforms
This version of Caché supports FIPS 140-2–compliant cryptography for database encryption on Red Hat Enterprise Linux 6.6 (or later minor versions) and Red Hat Enterprise Linux 7.1 (or later minor versions) for x86-64. For each supported version, Red Hat has a certificate of validation for the OpenSSL libcrypto.so and libssl.so libraries; this certificate is available at the site listed below.
-
The libraries are libcrypto.so.1.0.1e and libssl.so.1.0.1e.
-
The certificate is https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2441Opens in a new tab.
-
The libraries are libcrypto.so.1.0.1e and libssl.so.1.0.1e.
-
The certificates are https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2441Opens in a new tab, https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3538Opens in a new tab, and https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3867Opens in a new tab.
-
The libraries are libcrypto.so.1.0.2k and libssl.so.1.0.2k.
-
The certificate is https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3016Opens in a new tab, https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3538Opens in a new tab, and https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3867Opens in a new tab.
Caché does not support FIPS 140–2 compliant cryptography for Red Hat 8.
For information about Red Hat support for government standards, see https://www.redhat.com/en/technologies/industries/government/standardsOpens in a new tab.
Enabling FIPS Support
To enable Caché support for FIPS 140–2 compliant cryptography for database encryption, do the following:
-
Download and install the openssl package from the RedHat repository (rhel-6-server-rpms or rhel-7-server-rpms, depending on which version of Red Hat Enterprise Linux for x86-64 you are using).
-
Enable FIPS mode for the operating system. For these instructions, see the article How can I make RHEL 6/7/8 FIPS 140-2 compliant?Opens in a new tab on the Red Hat web site.
Note:Access to this article requires Red Hat login credentials.
-
Check the directory /usr/lib64 for the following symbolic links. If these do not exist, create them:
-
The symbolic link libssl.so should point to the appropriate file (such as libssl.so.1.0.2k), in the same directory.
-
The symbolic link libcrypto.so should point to the appropriate file (such as libcrypto.so.1.0.2k), in the same directory.
-
-
In Caché, specify the FIPSMode CPF parameter as True (1). To do so:
-
Open the Management Portal.
-
Select System Administration > Configuration > Additional Settings > Startup.
Here you will see a row for FIPSMode.
-
Specify the value for FIPSMode as True and save your change.
-
-
Restart Caché.
-
Enable and configure encrypted databases as outlined in “Using Encrypted Databases” in the chapter “Managed Key Encryption” in Caché Security Administration Guide.
Startup Behavior and cconsole.log
When Caché is started:
-
If FIPSMode is 0, Caché native cryptography is used, including optimized assembly code using Intel AES-NI hardware instructions, if supported by the CPU. In this mode, Caché writes the following to cconsole.log upon startup:
FIPS 140-2 compliant cryptography for database encryption is not configured in cache.cpf
-
If FIPSMode is 1, Caché attempts to resolve references to functions in the /usr/lib64/libcrypto.so FIPS-validated library, and then attempts to initialize the library in FIPS mode. If these steps are successful, Caché writes the following to cconsole.log:
FIPS 140-2 compliant cryptography for database encryption is enabled for this instance.
-
If FIPSMode is 1, but the initialization of the library is unsuccessful, Caché does not start. In this case, cconsole.log contains the following message:
FIPS 140-2 compliant cryptography for database encryption initialization failed. Aborting.
-
On platforms other than lnxrhx64, if FIPSMode is 1, Caché native cryptography is used, and Caché writes the following to cconsole.log:
FIPS 140-2 compliant cryptography for database encryption is not supported on this platform.