FIPS-Mode Considerations

Certificates used for FIPS-mode sessions must be signed with a FIPS-approved message digest, such as SHA-1.

If a certificate is signed with an unapproved message digest, such as MD5, it will fail session authentication when FIPS mode is enabled. This applies to the entire certificate chain. The certificate is validated in both key certificate files and trusted root certificate files.

Note: When FIPS-mode is enabled, you will not receive an error when you check in or import certificates that are not signed with a FIPS-approved message digest.

Ensure that the certificates that your FIPS-mode trading partners use are signed with the SHA-1 message digest.

SSL Certificates and SSH keys used for FIPS-mode sessions must have a minimum key length of 1024.

Note: Secure Proxy uses TLS protocols (TLS V1.0, TLS V1.1, or TLS V1.2) only for FIPS-mode sessions. If an SSL protocol is selected, Secure Proxy defaults to the TLS V1.0 protocol.

FIPS 140-2 Mode Configuration

Secure Proxy, which is FIPS 140-2 validated, provides you with a FIPS solution. FIPS-mode operation is available only for the TLS protocol.

When you enable FIPS mode for Secure Proxy, the list of cipher suites is unchanged; all ciphers are listed. You must select at least one FIPS-approved cipher. For a list of the FIPS-approved cipher suites, see Cipher Suites Supported.

If no FIPS-approved ciphers are selected, Secure Proxy will terminate the SSL connection and log an error message.

When you enable FIPS compliance, the setting is global. All communication sessions must use FIPS-approved cipher suites and certificates. This includes all communication between the following components:

Configuration Manager and Secure Proxy Engine
Secure Proxy Engine and Sterling External Authentication Server Server
Sterling External Authentication Server and LDAP
Sterling External Authentication Server and Sterling B2B Integrator (through a user exit)
Sterling External Authentication Server GUI and Sterling External Authentication Server