CORE FIPS Specifications

Unbound FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors 140-2 certified crypto capabilities are specified in:
FIPS 140-2 Certificate #3378 and
FIPS 140-2 Certificate #3453.
CORE in the FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys is supported on the following platforms
Red Hat Enterprise Linux
Windows Server
that are listed in the Approved Protection Profile for General Purpose Operating Systems publication NIAP pp_os_v4.2.1.

Running in the FIPS Mode

The CORE Server software supports two modes of crypto protection and processing: FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode and non-FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode. CORE provides two methods to enter FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys:

To test FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys without admin privileges, see Running Sudo-less FIPS Mode.

Bootstrapping in FIPS Mode

The FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors triplet installation and bootstrapping are similar to the bootstrapping of a standard (non-FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors) triplet. The differences are highlighted below.
Steps:

  1. Select three servers that meet CORE FIPS Specifications.
  2. Install. Follow the Install CORE Server Software instructions on each server.
  3. Bootstrap. Add the -fips option to the bootstrapping parameters in Bootstrap the First Triplet.
  4. Activate the triplet. See EKM Service Restart in FIPS Triplet
  5. Enable CLIClosedCommand Line Interface and UI. These steps are alike the steps in the Standard system:
    1. As needed, Enable UCL on EP.
    2. Run the First Test.
    3. As needed, Unlock UI.
    4. As needed, Customize the Default Settings.

QuickStart - Fresh System

In the following example, we create a system in FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode with one partition and two keys: one key (RSA) is FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors-certified, the other (EdDSAClosedEdwards-curve Digital Signature Algorithm) is not FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors-certified.

We work from the ground up without assuming previous CORE experience. Users with previous CORE experience, please note the following enhancements to the standard commands:
- Bootstrap scripts must include the -fips option.
- A partition creation must specify the required FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys policy (--fips <policy-name>).

This example targets Linux servers. It uses the following entities:

Step Run on Command
1 EP,
Partner,
Aux

sudo rpm -ivh <CORE Server Software>.rpm

2 EP

Bootstrap the software.

sudo /opt/ekm/bin/ekm_boot_ep.sh --self ep1 -p partner1 -x aux1 -fips -f -w Password1!

It also creates the Root SOClosedSecurity officer - UKC partition administrator role. with credentials (so, Password1!)

Partner

sudo /opt/ekm/bin/ekm_boot_partner.sh --self partner1 -p ep1 -x aux1 -fips -f

Aux

sudo /opt/ekm/bin/ekm_boot_auxiliary.sh --self aux1 -e ep1 -p partner1 -fips -f

3

Partner,
Aux

Start the EKMClosedEnterprise Key Management - previous name of the product. service on the Partner and Aux servers

sudo service ekm start

4 EP

Now, start the EKMClosedEnterprise Key Management - previous name of the product. service on the EP server.

sudo service ekm start

Important. EP must be the last to start.

5 EP

Make sure that the system is up and running.

ucl server test

6 EP

Create a CORE partition "test". Set the FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys in the partition to preferred.

sudo ucl partition create -p test --fips preferred --so_password Password2! -w Password1!

The credentials of the new partition's SOClosedSecurity officer - UKC partition administrator role. are: (so, Password2!).

See Note below

7 EP

Create a FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors-certified key and verify that it shows fips=true.

ucl generate -t rsa --name rsa1 -p test -w Password2!

ucl show --name rsa1 -p test -w Password2!

8 EP

Create a key that is not certified by FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors and verify that it shows fips=false.

ucl generate -t eddsa --name eddsa1 -p test -w Password2!

ucl show --name eddsa1 -p test -w Password2!

Note
The partition's FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys (fips-req) is set to "--fips preferred". It indicates that the FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors-certified key material in the partition will be processed in FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys while the rest of the material will be processed in non-FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode.

Upgrading to FIPS Mode

Use the following steps to upgrade a non-FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors system to a FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys system:

  1. Make sure your servers meet CORE FIPS Specifications.
  2. Enable FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys:
  3. ucl system-settings set -k is-fips -v 1
  4. Activate the change - see EKM Service Restart in FIPS Triplet.

QuickStart - Upgrading to FIPS Mode

In the following example, we upgrade a system from a non-FIPS modeClosedUKC system advanced execution mode that hasn't yet received the FIPS certification to a FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys, create a new partition, and two keys: one key (RSA) is FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors-certified, the other (EdDSAClosedEdwards-curve Digital Signature Algorithm) is not FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors-certified.

Users with previous CORE experience, note the following enhancements to the standard commands:
- Partition creation must specify the required FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys policy (--fips <policy-name>).
- Restarting the EKMClosedEnterprise Key Management - previous name of the product. service must be done by stopping the service in all three servers and starting the service in a particular order.

Before the Upgrade:

  1. Make sure the servers meet CORE FIPS Specifications.
  2. Optionally, back up the system. See Database Backup.
  3. To undo the upgrade, restore the state of the system that was captured before the upgrade.

Upgrade:

We use the same names and credentials as in QuickStart - Fresh System.

Step Run on Command
1 EP

Make sure all three servers are OK.

ucl server test

2 EP

Declare your intent to upgrade to FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys.

ucl system-settings set -k is-fips -v 1 -w Password1!

3 EP,
Partner,
Aux

Prepare all three servers for the activation of FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys

sudo service ekm stop

4

Partner,
Aux

Start the EKMClosedEnterprise Key Management - previous name of the product. service on the Partner and Aux servers

sudo service ekm start

5 EP 

Now, start the EKMClosedEnterprise Key Management - previous name of the product. service on the EP server.

sudo service ekm start

Important. EP must be the last to start.

6 EP

Make sure that the system is up and running.

ucl server test

7 EP

Create the CORE partition "test". Set the FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys in the partition to preferred.

sudo ucl partition create -p test --fips preferred --so_password Password2! -w Password1!

The credentials of the new partition's SOClosedSecurity officer - UKC partition administrator role. are: (so, Password2!).

See Note below

8 EP

Create a FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors-certified key and verify that it shows fips=true.

ucl generate -t rsa --name rsa1 -p test -w Password2!

ucl show --name rsa1 -p test -w Password2!

9 EP

Create a key that is not certified by FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors and verify that it shows fips=false.

ucl generate -t eddsa --name eddsa1 -p test -w Password2!

ucl show --name eddsa1 -p test -w Password2!

Note
The partition's FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys (fips-req) is set to "--fips preferred". It indicates that the FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors-certified key material in the partition will be processed in FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys while the rest of the material will be processed in non-FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode.

Running Sudo-less FIPS Mode

Start with a non-FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors triplet by sudo-less installation and bootstrapping of a regular triplet. See Sudo-less Quickstart on Linux.

Once the non-FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors triplet is running, perform the following steps:

  1. In each server, set the following links:
    • ln -fs /usr/lib64/libssl.so.10 <reloc_installation_dir>/usr/lib64/libssl.so.1.0.0
    • ln -fs /usr/lib64/libcrypto.so.10 <reloc_installation_dir>/usr/lib64/libcrypto.so.1.0.0
  2. In each server, restart the EKMClosedEnterprise Key Management - previous name of the product. service.
  3. In EP, set FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys by using the ucl system-settings set -k is-fips -v 1 command.
  4. Restart the servers as specified in EKM Service Restart in FIPS Triplet.