FIPS 140-2 Compliance in SSL/TLS, SSH, SMIME and Cloud Components
Requirements: One of the following libraries, but only for the specific OS/language combinations listed below.
- IPWorks
- IPWorks Encrypt
- IPWorks PGP
- IPWorks SMIME
- IPWorks SSL
- IPWorks SSH
- Cloud Keys
- Cloud Mail
- Cloud Storage
Additionally, the Java edition requires Bouncy Castle FIPS to be downloaded and installed separately; for more information see the Java details below.
The following table lists the current language, OS and library FIPS compatability
| Windows | macOS/Linux | |
|---|---|---|
| .NET Framework | ||
| .NET Core, .NET Standard | ||
| C++, Python, Delphi, PHP | ||
| Java | ||
| JavaScript, Node.js |
Contents
FIPS 140-2 Compatability
FIPS-compliant algorithms in supported libraries utilize the underlying operating system's certified APIs. Java editions, regardless of OS, utilize Bouncy Castle FIPS, while all the other Windows editions make use of Microsoft security libraries.
Using FIPS-compliant Libraries
.NET and C++ Editions
FIPS mode can be enabled in .NET and C++ editions by setting the UseFIPSCompliantAPI configuration setting to true. Note that this setting is only applicable on Windows.
UseFIPSCompliantAPI is a static setting that applies to all instances of all components of the toolkit within the process.
It is recommended to enable or disable this setting once before the component has been used to establish a connection.
Enabling FIPS while an instance of the component is active and connected may result in unexpected behavior.
For example:
Component.Config("UseFIPSCompliantAPI=true");
When UseFIPSCompliantAPI is enabled in .NET and C++ editions, the behavior of TLS-enabled components depends on the value of the UseInternalSecurityAPI configuration setting. If UseInternalSecurityAPI is enabled, the component will utilize our internal TLS implementation for all TLS-enabled components while using the system's certified APIs for all cryptographic operations. Our internal TLS implementation will prevent any non-FIPS-compliant algorithms from being utilized, ensuring FIPS compliance.
If UseInternalSecurityAPI is disabled, the component will utilize the platform (Windows) TLS implementation for TLS-enabled components in addition to using the system's certified APIs for all cryptographic operations. However, when using the platform TLS implementation, it is the platform's responsibility to prevent any non-FIPS-compliant algorithms from being utilized. As a result, the system must be configured to operate in FIPS mode to ensure FIPS compliance when using the platform TLS implementation.
There are two ways to configure your Windows system to operate in FIPS mode:
- Open the Group Policy Editor, navigate to Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options, and enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting.
- Open the Windows registry, navigate to HKLM\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled, and set the Enabled DWORD to 1.
For more information, please refer to the Microsoft article here.
Java Edition
The Java editions of IPWorks SSL and IPWorks SSH require installation of the FIPS certified Bouncy Castle library regardless of the target operating system. This can be downloaded from https://www.bouncycastle.org/fips-java/. Only the "Provider" library is needed. The jar file should then be installed in a JRE search path.
FIPS mode can be enabled in the Java editions by setting the UseFIPSCompliantAPI configuration setting. This is a static setting which applies to all instances of all components of the toolkit within the process. It is recommended to enable or disable this setting once before the component has been used to establish a connection. Enabling FIPS while an instance of the component is active and connected may result in unexpected behavior.
In the application where the component will be used the following classes must be imported:
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
The Bouncy Castle provider must be added as a valid provider and must also be configured to operate in FIPS mode:
System.setProperty("org.bouncycastle.fips.approved_only","true");
Security.addProvider(new BouncyCastleFipsProvider());
When UseFIPSCompliantAPI is true, SSL enabled classes can optionally be configured to use the TLS Bouncy Castle library. When SSLProvider is set to sslpAutomatic (default) or sslpInternal an internal TLS implementation is used, but all cryptographic operations are offloaded to the BCFIPS provider in order to achieve FIPS compliant operation. If SSLProvider is set to sslpPlatform the Bouncy Castle JSSE will be used in place of the internal TLS implementation.
To enable the use of the Bouncy Castle JSSE take the following steps in addition to the steps above. Both the Bouncy Castle FIPS provider and the Bouncy Castle JSSE must be configured to use the Bouncy Castle TLS library in FIPS mode. Obtain the Bouncy Castle TLS library from https://www.bouncycastle.org/fips-java/. The jar file should then be installed in a JRE search path.
In the application where the component will be used the following classes must be imported:
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
//required to use BCJSSE when SSLProvider is set to sslpPlatform
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
The Bouncy Castle provider must be added as a valid provider and must also be configured to operate in FIPS mode:
System.setProperty("org.bouncycastle.fips.approved_only","true");
Security.addProvider(new BouncyCastleFipsProvider());
//required to use BCJSSE when SSLProvider is set to sslpPlatform
Security.addProvider(new BouncyCastleJsseProvider("fips:BCFIPS"));
//optional - configure logging level of BCJSSE
Logger.getLogger("org.bouncycastle.jsse").setLevel(java.util.logging.Level.OFF);
//configure the class to use BCJSSE
component.setSSLProvider(1); //platform
component.config("UseFIPSCompliantAPI=true");
Note: TLS 1.3 support requires the Bouncy Castle TLS library version 1.0.14 or later.
After the above configuration the component can be configured to use the FIPS compliant implementation like so:
Component.Config("UseFIPSCompliantAPI=true");
Licensing
Enabling FIPS-compliance requires a special license; please contact sales@nsoftware.com for details.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.