Skip to main content

This is documentation for Caché & Ensemble.

For information on converting to InterSystems IRISOpens in a new window, see the InterSystems IRIS Migration Guide and Migrating to InterSystems IRIS, both available on the WRC Distributions pageOpens in a new window (login required).

FIPS 140-2 Compliance and Encryption Features

Some versions of Caché on some platforms support FIPS 140–2 compliant cryptography for certain encryption features. (FIPS 140–2 refers to Federal Information Processing Standard Publication 140-2, which is available at https://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdfOpens in a new window. )

Important:

There are no cryptographic libraries in this version of Caché that are certified as FIPS-compliant. In previous releases of Caché, there is FIPS-compliant database encryption on Red Hat Enterprise Linux using versions of Red Hat Enterprise Linux prior to version 8. (This version of Caché supports TLS v1.3, which requires the OpenSSL 1.1.1 libraries, which are not supported on versions of Red Hat Enterprise Linux prior to version 8.)

Red Hat created the Enterprise Linux 8 versions of the OpenSSL libraries so that they could be certified as FIPS-compliant; however, as of December 2020, they have not been certified. At some future date, the libraries may receive certification. Check the Red Hat website for the most up-to-date information; for example, for information about Red Hat support for government standards, see https://www.redhat.com/en/technologies/industries/government/standardsOpens in a new window or check the Red Hat websiteOpens in a new window..

Cryptographic Libraries and What They Provide

The cryptography for encryption on Red Hat Enterprise Linux 8 (or later minor versions) for x86-64 in OpenSSL uses the libcrypto.so and libssl.so libraries. The versions of the libraries are libcrypto.so.1.1.1g and libssl.so.1.1.1g. On Red Hat Enterprise Linux 8, Caché uses these libraries under all circumstances (whether or not FIPS mode is enabled).

Enabling FIPS-Related Functionality

Caché includes a special operating mode, called FIPS mode. Running Caché in FIPS mode does increase certain security protections. For example, the minimum supported version of TLS is v1.2.

To run Caché in FIPS mode:

  1. Enable FIPS mode for the operating system by entering the following commands at the command line:

    # fips-mode-setup --enable
    
    # reboot
    Copy code to clipboard

    For more information, see How RHEL 8 is designed for FIPS 140-2 requirementsOpens in a new window on the Red Hat website.

  2. In Caché, specify the FIPSMode CPF parameter as True (1). To do so:

    1. Open the Management Portal.

    2. Select System Administration > Configuration > Additional Settings > Startup.

      Here you will see a row for FIPSMode.

    3. Specify the value for FIPSMode as True and save your change.

  3. Restart Caché.

  4. Enable and configure encrypted databases as outlined in “Using Encrypted Databases” in the chapter “Managed Key Encryption” in Caché Security Administration Guide.

Startup Behavior and cconsole.log

When Caché is started:

  • If FIPSMode is 0, Caché enforces its standard security rules. In this mode, Caché writes the following to cconsole.log upon startup:

    FIPS 140-2 compliant cryptography for database encryption is not configured in cache.cpf
    Copy code to clipboard
  • If FIPSMode is 1, Caché enforces FIPS-related security rules. Caché writes the following to cconsole.log:

    FIPS 140-2 compliant cryptography for database encryption is enabled for this instance.
    Copy code to clipboard
  • On platforms other than lnxrhx64, if FIPSMode is 1, Caché always enforces its standard security rules, and Caché writes the following to cconsole.log:

    FIPS 140-2 compliant cryptography for database encryption is not supported on this platform.
    Copy code to clipboard
FeedbackOpens in a new window