iBase is not compatible with Windows FIPSAlgorithmPolicy setting

Troubleshooting

Problem

If you enable the FIPSAlgorithmPolicy setting in Windows, users can no longer log in to iBase. Instead, users receive an error message when they try to log in.

This affects all versions of iBase including iBase 8.x and iBase 9.x.

It applies, even if the "Enforce FIPS compliance" option is selected in iBase Designer, Security Manager.

Symptom

Users see an error similar to this, when they try to log in to iBase:

If you try to log in to iBase Designer, you see an error similar to this:

Other iBase programs may also display error messages if run while the FIPS Policy is enabled in Windows.

Cause

iBase is not compatible with the Windows FIPSAlgorithmPolicy setting. This applies to both iBase version 8 and iBase version 9.

iBase 9 introduces a "Enforce FIPS compliance" setting in iBase Designer Security Manager. When this setting is enabled, all new iBase user passwords are encrypted using FIPS-compliant algorithms. However, this setting does make make the iBase application compatible with the FIPSAlgorithmPolicy setting in Windows; you may still see errors, even if this option is enabled.

Environment

This problem occurs if the Windows workstation running iBase, or iBase Designer, has the FIPSAlgorithmPolicy setting enabled in the registry.

For more information about FIPSAlgorithmPolicy, see this Microsoft page:

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

Diagnosing The Problem

Look in the Windows registry, here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy

Registry value: Enabled Type: REG_DWORD 0x1 enabled; 0x0 disabled

If the FIPSAlgorithmPolicy is Enabled with a value of 0x1, it will block iBase users from logging in to iBase.

The FIPS Policy (and Registry setting) can also be enabled via Group Policies, like this:

Resolving The Problem

To disable the policy so iBase can run, set the FIPSAlgorithmPolicy value to 0x0. If the Policy was enabled via Group Policies, use the Windows Group Policy editor to disable the policy. This disables the FIPS Policy for all applications on the machine.

Reboot the machine then log in to iBase normally.

For iBase 8.x, you can alternatively disable the FIPS Policy for iBase only, while leaving the policy active for the rest of Windows, by using the .NET <enforceFIPSPolicy> directive. Add the line:

to the <runtime> element in iBase.exe.config, in the iBase program directory:

        <?xml version="1.0" encoding="utf-8"?>
        <configuration>
   <startup>
      <supportedRuntime version="v4.0" />
   </startup>
   <runtime>
        <generatePublisherEvidence enabled="false"/>
        <enforceFIPSPolicy enabled="false"/>
   </runtime>
        </configuration>

To run iBase Designer, iBase Database Configuration, and other iBase tools, add the "<enforceFIPSPolicy enabled="false"/>" directive to each .config file under 'C:\Program Files (x86)\i2 iBase 8'. If necessary, create a .config file for the EXE file, using iBase.exe.config as a template.

For more information about the <enforceFIPSPolicy> Element, see this Microsoft page:

<enforceFIPSPolicy> Element

iBase 9.x cannot run, even if the .NET <enforceFIPSPolicy> directive is enabled. Currently the only solution for iBase 9 is to disable FIPSAlgorithmPolicy on the machine. This issue is currently under investigation.

The FIPSAlgorithmPolicy setting mandates that Windows use certain encryption algorithms, defined in the US Government FIPS-2 standard. All the same settings and algorithms are available, whether FIPSAlgorithmPolicy is enabled or not. FIPSAlgorithmPolicy just provides a convenient central location to mandate these encryption algorithms, system-wide.

Enabling FIPSAlgorithmPolicy can block an application's access to faster, more secure encryption algorithms, if those algorithms are not yet FIPS-certified.

Applications can also elect to use their own encryption libraries and bypass the Crypto APIs provided by Windows. In this case, the FIPSAlgorithmPolicy has no effect; it does not stop applications using their own crypto modules.

Other related IBM i2 Technotes:

Failed to encrypt data error when attempting to open the IBM i2 iBase database on the server

PO04027: GETTING ERROR "FAILED TO ENCRYPT DATA" WHEN TRYING TO CREATE NEW SECURITY FILE IN IBASE DESIGNER.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSXW43","label":"i2 iBase"},"ARM Category":[{"code":"a8m500000008ZHtAAM","label":"i2 iBase and i2 Analyst's WorkStation"}],"ARM Case Number":"TS004836146","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Historical Number

TS004836146

Was this topic helpful?

Document Information

Modified date:
28 January 2021

UID

ibm16406612

Tips