Views:

Only the cryptographic libraries used by SMS version 4.2.1 and later are FIPS 140-2 certified. Because of this, FIPS mode in SMS version 4.2.1 and later is called FIPS Crypto Core.

The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government computer security standard used to accredit cryptographic modules. The FIPS 140-2 publication coordinates requirements and standards for cryptography modules that include both hardware and software components. Some United States federal agencies and departments require software, including the SMS, to comply with the 140-2 standards.
The SMS supports two levels of FIPS operation:
  • Disabled — No FIPS compliance actions or restrictions are activated on the SMS server.
  • FIPS Crypto Core — In this mode the SMS uses cryptographic libraries certified by the National Institute of Standards and Technology to be compliant with FIPS 140-2 publication. The SMS automatically reboots when placed into FIPS Crypto Core mode or when FIPS Crypto Core mode is disabled.
You must have SuperUser privileges to use this feature. Learn more: User roles and capabilities.

Procedure

  1. Go to AdminServer Properties, and then select the Management tab.
  2. Click Edit under FIPS Mode.
  3. Review the current state. The current state radio button indicates if the SMS is in FIPS Crypto Core mode. If it is not, the radio button is unselected and the current state displays as Disabled.
    1. If the current state is Disabled, select the FIPS Crypto Core radio button to enter FIPS Crypto Core mode.
    2. If the current state is FIPS Crypto Core, select the Disabled radio button to turn that mode off.
  4. Click OK.
    When you submit the request to enter FIPS Crypto Core mode, the SMS server reboots. This process, along with the reboot, also occurs when transitioning out of FIPS Crypto Core mode.
    Note
    Note
    If the SMS is currently running a 1K key, it will display a message about upgrading to a 2K key to be fully FIPS compliant. You can still enable FIPS mode on the SMS without installing the 2K key, but when the SMS is in FIPS mode, you cannot install the 2K key.
    When this process is complete, the SMS operates in FIPS Crypto Core mode. The following restrictions apply in this mode:
    • A 2048-bit certificate is required.
    • If an SMS backup was taken while the SMS was in FIPS Crypto Core mode, the backup cannot be restored on an SMS that has a 1024-bit certificate.
    • Upgrading the SMS certificate key will not be allowed. For more information, see SMS certificate key .
    • SMS will not be able to communicate with the Identity Agent. For more information, see User ID IP Correlation
    • SMS High Availability (HA) is available if both systems have the required 2K key.
    • The SSH terminal will negotiate connections using only FIPS 140-2 approved algorithms.
    • Custom Responder Actions cannot be imported or executed.
    • To get logs from a managed SSL device, you must first set up SMS as the syslog destination in the SSL web client.
    • External Database access is not permitted.
    • External Database replication is not permitted.