FIPS 140–2 Compliance for Caché Database Encryption
On specific platforms, Caché supports FIPS 140–2 compliant cryptography for database encryption. (FIPS 140–2 refers to Federal Information Processing Standard Publication 140-2, which is available at https://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf. )
Caché supports FIPS 140-2–compliant cryptography for database encryption on Red Hat Enterprise Linux 6.6 (or later minor versions) and Red Hat Enterprise Linux 7.1 (or later minor versions) for x86-64. For each supported version, Red Hat has a certificate of validation for the OpenSSL libcrypto.so and libssl.so libraries; this certificate is available at the site listed below.
The libraries are libcrypto.so.1.0.1e and libssl.so.1.0.1e
The libraries are libcrypto.so.1.0.2k and libssl.so.1.0.2k
For information about Red Hat support for government standards, see https://www.redhat.com/en/technologies/industries/government/standards.
Enabling FIPS Support
To enable Caché support for FIPS 140–2 compliant cryptography for database encryption, do the following:
Download and install the openssl package from the RedHat repository (rhel-6-server-rpms or rhel-7-server-rpms, depending on which version of Red Hat Enterprise Linux for x86-64 you are using).
Enable FIPS mode for the operating system. For information, see one of the following:
Be sure to reboot and to check that FIPS mode is enabled.
Check the directory /usr/lib64 for the following symbolic links. If these do not exist, create them:
The symbolic link libssl.so should point to the appropriate file (such as libssl.so.1.0.2k), in the same directory.
The symbolic link libcrypto.so should point to the appropriate file (such as libcrypto.so.1.0.2k), in the same directory.
In Caché, specify the FIPSMode CPF parameter as True (1). To do so:
Open the Management Portal.
Select System Administration > Configuration > Additional Settings > Startup.
Here you will see a row for FIPSMode.
Specify the value for FIPSMode as True and save your change.
Enable and configure encrypted databases as outlined in “Using Encrypted Databases” in the chapter “Managed Key Encryption” in Caché Security Administration Guide.
Startup Behavior and cconsole.log
When Caché is started:
If FIPSMode is 0, Caché native cryptography is used, including optimized assembly code using Intel AES-NI hardware instructions, if supported by the CPU. In this mode, Caché writes the following to cconsole.log upon startup:
FIPS 140-2 compliant cryptography for database encryption is not configured in cache.cpfCopy code to clipboard
If FIPSMode is 1, Caché attempts to resolve references to functions in the /usr/lib64/libcrypto.so FIPS-validated library, and then attempts to initialize the library in FIPS mode. If these steps are successful, Caché writes the following to cconsole.log:
FIPS 140-2 compliant cryptography for database encryption is enabled for this instance.Copy code to clipboard
If FIPSMode is 1, but the initialization of the library is unsuccessful, Caché does not start. In this case, cconsole.log contains the following message:
FIPS 140-2 compliant cryptography for database encryption initialization failed. Aborting.Copy code to clipboard
On platforms other than lnxrhx64, if FIPSMode is 1, Caché native cryptography is used, and Caché writes the following to cconsole.log:
FIPS 140-2 compliant cryptography for database encryption is not supported on this platform.Copy code to clipboard