Running in FIPS compliant mode

The Federal Information Processing Standard (FIPS) Publication 140-3, is a computer security standard, developed by a U.S. Government and industry working group to validate the quality of cryptographic modules.

FIPS Publication 140-3 can be downloaded from the National Institute of Standards and Technology (NIST) website.


FIPS and older versions of OpenSSH

When you run in FIPS compliant mode, all components must be FIPS compliant. Consequently, if attempting to discover a target running an older version of OpenSSH Server (earlier than version 7.0 for example), the FIPS requirements might prevent an ssh connection being established, and discovery of that target will fail.

In previous versions you needed to enable NSS to ensure full FIPS compliance. You no longer need to do this. You must use the SSLFIPS directive in the kickstart to enable FIPS .

FIPS terminology

FIPS 140-3 compliant means you are using FIPS 140-3 compliant algorithms.

FIPS 140-3 certified (can be referred to as validated) means you are using a certified implementation of FIPS 140-3 algorithms. The certification is a formal process where the code must be validated by one of a group NIST laboratories.

Certification and compliance

The BMC Discovery appliance and the BMC Discovery Outpost use FIPS 140-3 compliant algorithms so are FIPS 140-3 compliant. 

The Oracle Linux 9 OpenSSL FIPS Provider is listed as an Implementation Under Test in the NIST Cryptographic Module Validation Program.

The OpenSSL FIPS provider, used in the  is also listed as an Implementation Under Test in the NIST Cryptographic Module Validation Program.

BMC Discovery and FIPS

Enabling FIPS mode ensures that BMC Discovery uses only FIPS-compliant cryptographic algorithms and FIPS compliant keys, though some functionality is not supported in FIPS mode, such as using SMB file systems for export or backup. FIPS mode requires that you provide the FIPS-compliant SSL keys.

When not running in FIPS mode, BMC Discovery still uses FIPS-compliant cryptographic algorithms where possible.

To fully enable strict FIPS compliance, you must install BMC Discovery from the kickstart DVD replacing the install or custom options with installfips or customfips. Enabling FIPS during the kickstart means that all keys and certificates generated during installation will be generated with FIPS compliant algorithms. 


Note

To enable FIPS, you either install with installfips or customfips. Enabling FIPs after installation does not make the appliance fully FIPS compliant because during the installation process, any keys and certificates that are generated may not be FIPS compliant. 

You cannot mount a Windows share from a FIPS-enabled appliance. The mount operation fails and an error message is written to syslog.

To enable FIPS mode on the host on which the Windows proxy is installed

When installing a proxy the installation detects whether the Windows host is running in FIPS mode. If the host is running in FIPS mode, and you are upgrading from a very old Windows proxy version, you must replace the SSL key before running the proxy. The installer displays a dialog stating this when you install a proxy onto a FIPS-enabled host.

For information on using Windows in FIPS mode, see this Microsoft knowledge base article.

To enable FIPS mode on the server where BMC Discovery Outpost is installed

When installing a BMC Discovery Outpost, the installation detects whether the Windows host is running in FIPS mode.

 For information on using Windows in FIPS mode, see this Microsoft knowledge base article.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*