FIPS mode issues

FIPS mode configuration issue and resolutions are provided, to enable FIPS mode successfully on nodes.

FIPS mode is not enabled.

Symptoms
  • The fips-mode-setup --check command shows FIPS disabled after reboot.
  • The essrun fips verify command reports FIPS mode is not active.
  • The /proc/sys/crypto/fips_enabled file contains 0 instead of 1.
Cause
  • System is not rebooted after the enable command is run.
  • Boot loader configuration issue prevents FIPS mode activation.
  • Kernel has an incompatible version that does not support FIPS mode.
  • FIPS module is corrupt or kernel parameters are missing.
Resolution
  1. Verify FIPS status.
    fips-mode-setup --check
    The FIPS is disabled after reboot.
  2. Check boot loader configuration for compatible kernel version.
    grubby --info=ALL | grep fips
  3. Rerun FIPS setup.
    fips-mode-setup --enable
  4. Reboot the system.
    reboot

Application is not compatible.

Symptoms
Applications fail with cryptographic errors after FIPS mode is enabled.
Cause
  • Application uses non-FIPS algorithms (MD5, DES, RC4, 3DES, and so on).
  • Legacy SSL/TLS versions (SSLv3, TLS 1.0, TLS 1.1) that are disabled in FIPS mode.
  • Hardcoded weak cryptographic algorithms.
Resolution
  1. Update applications to use FIPS-approved algorithms.
  2. Configure applications to use TLS 1.2 or higher.
  3. Contact the application vendor for FIPS-compatible versions if the application cannot be configured to use FIPS-approved algorithms.