FIPS mode issues
FIPS mode configuration issue and resolutions are provided, to enable FIPS mode successfully on nodes.
FIPS mode is not enabled.
- Symptoms
-
- The fips-mode-setup --check command shows FIPS disabled after reboot.
- The essrun fips verify command reports FIPS mode is not active.
- The /proc/sys/crypto/fips_enabled file contains
0instead of1.
- Cause
-
- System is not rebooted after the enable command is run.
- Boot loader configuration issue prevents FIPS mode activation.
- Kernel has an incompatible version that does not support FIPS mode.
- FIPS module is corrupt or kernel parameters are missing.
- Resolution
-
- Verify FIPS status.
The FIPS is disabled after reboot.fips-mode-setup --check - Check boot loader configuration for compatible kernel
version.
grubby --info=ALL | grep fips - Rerun FIPS setup.
fips-mode-setup --enable - Reboot the system.
reboot
- Verify FIPS status.
Application is not compatible.
- Symptoms
- Applications fail with cryptographic errors after FIPS mode is enabled.
- Cause
-
- Application uses non-FIPS algorithms (MD5, DES, RC4, 3DES, and so on).
- Legacy SSL/TLS versions (SSLv3, TLS 1.0, TLS 1.1) that are disabled in FIPS mode.
- Hardcoded weak cryptographic algorithms.
- Resolution
-
- Update applications to use FIPS-approved algorithms.
- Configure applications to use TLS 1.2 or higher.
- Contact the application vendor for FIPS-compatible versions if the application cannot be configured to use FIPS-approved algorithms.