FIPS-Mode Considerations
Certificates used for FIPS-mode sessions must be signed with a FIPS-approved message digest, such as SHA-1.
If a certificate is signed with an unapproved message digest, such as MD5, it will fail session authentication when FIPS mode is enabled. This applies to the entire certificate chain. The certificate is validated in both key certificate files and trusted root certificate files.
Ensure that the certificates that your FIPS-mode trading partners use are signed with the SHA-1 message digest.
SSL Certificates and SSH keys used for FIPS-mode sessions must have a minimum key length of 1024.
FIPS 140-2 Mode Configuration
Secure Proxy, which is FIPS 140-2 validated, provides you with a FIPS solution. FIPS-mode operation is available only for the TLS protocol.
When you enable FIPS mode for Secure Proxy, the list of cipher suites is unchanged; all ciphers are listed. You must select at least one FIPS-approved cipher. For a list of the FIPS-approved cipher suites, see Cipher Suites Supported.
If no FIPS-approved ciphers are selected, Secure Proxy will terminate the SSL connection and log an error message.
- Configuration Manager and Secure Proxy Engine
- Secure Proxy Engine and Sterling External Authentication Server Server
- Sterling External Authentication Server and LDAP
- Sterling External Authentication Server and Sterling B2B Integrator (through a user exit)
- Sterling External Authentication Server GUI and Sterling External Authentication Server