Enabling FIPS Mode Using Configuration File

To enable FIPS mode on Unix:

  1. Open the Connection Broker configuration file ssh-broker-config.xml that you want to modify (see the section called “Connection Broker Files”.

  2. Under the general element, modify the crypto-lib element by settings its value to fips.

  3. Ensure that the cryptographic algorithms defined in the configuration file for the default-settings element and the profiles element are compatible with FIPS mode. For FIPS-compatible algorithms, see Appendix F.

  4. Save the configuration file and stop the Connection Broker if it is running:

    $ ssh-broker-ctl stop
  5. Start a new connection. You may then verify the new Connection Broker is running in FIPS mode with:

    $ ssh-broker-ctl status

On Unix, you can switch all Tectia products to FIPS mode by creating a file named /etc/ssh2/FIPSMODE. Note that while the FIPSMODE file is present, all Tectia products will be in FIPS mode regardless of their configurations the next time they are restarted.

On Linux and Solaris you can enable and disable FIPSMODE file by running the following commands respectively:

# /opt/tectia/sbin/ssh-modeset fips-mode on
# /opt/tectia/sbin/ssh-modeset fips-mode off

You may then verify your current FIPS mode with:

# /opt/tectia/sbin/ssh-modeset fips-mode-check