|
     |
You can enable Tectia Client to operate in FIPS mode after which all cryptographic operations are run according to the FIPS 140-2 standard.
In FIPS mode, OpenSSL cryptographic libary is used for all cryptographic operations, see FIPS-Certified Cryptographic Library. In Standard mode, Tectia proprietary cryptographic library is used for all cryptographic operations.
![[Note]](images/note.gif) | Note |
|---|---|
In FIPS mode, due to a FIPS regulation which forbids exporting unencrypted private keys out of the FIPS module, it is not possible to generate user keys without a passphrase. |
To enable FIPS mode on Windows:
Open Tectia Connections Configuration GUI (see Opening the GUI).
Go to the General settings by selecting General in the tree view.
Under Cryptographic Library, select FIPS mode.
Ensure that the cryptographic algorithms defined for the default connection settings or any connection profile are compatible with FIPS mode. You will be informed of algorithms that are not allowed in FIPS mode. For FIPS-compatible algorithms, see Appendix E.
Click .
Click Stop Broker from the Tectia shortcut menu (see PrivX Desktop Shortcut Menu (Windows and Linux)).
Start a new client or connection that launches a new Connection Broker in FIPS mode.
| Note |
|---|---|
On Windows, you can switch all Tectia products to FIPS mode by creating a file named
On Windows with Tectia Server also installed on the same machine as Tectia Client, this file is created and removed automatically when FIPS mode is changed with the Tectia Server Configuration GUI and configuration is applied. |
To enable FIPS mode on Unix:
Open the Connection Broker configuration file
ssh-broker-config.xml that you want to modify (see
the section called “Connection Broker Files”.
Under the general element, modify the
crypto-lib element by settings its value to
fips.
Ensure that the cryptographic algorithms defined in the configuration file for the
default-settings element and the
profiles element are compatible with FIPS mode. For
FIPS-compatible algorithms, see Appendix E.
Save the configuration file and stop the Connection Broker if it is running:
$ ssh-broker-ctl stop
Start a new connection. You may then verify the new Connection Broker is running in FIPS mode with:
$ ssh-broker-ctl status
| Note |
|---|---|
On Unix, you can switch all Tectia products to FIPS mode by creating a file named
On Linux and Solaris you can enable and disable # /opt/tectia/sbin/ssh-modeset fips-mode on # /opt/tectia/sbin/ssh-modeset fips-mode off You may then verify your current FIPS mode with: # /opt/tectia/sbin/ssh-modeset fips-mode-check |
Tectia products can be operated in FIPS mode, using a version of the cryptographic library that has been certified according to the Federal Information Processing Standard (FIPS) 140-2.
The full OpenSSL cryptographic library is distributed with Tectia Client. This OpenSSL FIPS-certified cryptographic library is used to provide the classes of functions listed in the following tables.
The functions from the OpenSSL 3.0.12 24 Oct 2023 (FIPS provider: 3.0.9) used on Linux, Windows, and Solaris are listed in Table 3.1.
Table 3.1. APIs used from the OpenSSL cryptographic library version 3.0
| API | Description | Functions from OpenSSL |
|---|---|---|
| Random numbers | AES/CTR DRBG based on NIST SP800-90A is used from the OpenSSL library. | RAND_bytes, RAND_add |
| Ciphers | aes-ecb, aes-cbc, aes-ofb, aes-ctx, aes-gcm 3des-(ecb,cbc,cfb,ofb) | EVP_CIPHER_CTX_*, EVP_Cipher* |
| Math library | Bignum math library used by OpenSSL. | BN_* |
| Diffie Hellman | DH, ECDH, curve25519, curve448 | EVP_PKEY_*, DH_* |
| Hash functions | Variants: sha1[verify only], sha224, sha256, sha384, sha512 | EVP_MD_*, EVP_sha*, EVP_Digest* |
| Public Key | Variants: RSA, DSA, ECDSA, Ed25519 | EVP_PKEY_*, i2d_DSA_SIG, d2i_DSA_SIG, i2d_ECDSA_SIG, d2i_ECDSA_SIG, EVP_MD_*, ECDSA_SIG_*, DSA_SIG_*, EC_GROUP_*, EC_POINT_* |
| Misc | ERR_error_string_n, ERR_get_error, OpenSSL_version OSSL_PARAM_*, OSSL_PROVIDER_*, CRYPTO_free, CONF_modules_load_file_ex, EVP_default_properties_enable_fips |
No certificate functions are used from the OpenSSL library. Tectia provides its own certificate libraries.
| |