|
FIPS 140-2 Level 2 Certification of
Oracle Cryptographic Libraries for SSL
The
Oracle Cryptographic Libraries for SSL which is part of Oracle 10g
Application Server (9.0.4) has received FIPS 140-2 Level 2 certification.
Please refer to the certificate on NIST website at http://csrc.nist.gov/cryptval/140-1/140crt/140crt447.pdf
What is FIPS 140-2 evaluation?
Federal Information Processing Standards
(FIPS) prescribe security requirements for cryptographic modules. Security requirements cover several
areas related to the design and implementation of a cryptographic module.
For additional details, please visit the NIST
website at http://csrc.nist.gov/cryptval/
What is the significance of this successful
evaluation of Oracle 10g Application Server?
Independent measures of information assurance
are required to sell into US Federal agencies. A federal policy directive,
National Security Telecommunications Information Systems Security Policy
(NSTISSP) Number 11, requires information systems involved in national
security to have independent measures of assurance, such as Common Criteria
(ISO-15408) or FIPS evaluations.
SSL libraries are part of infrastructure
components of Oracle’s technology stack. Receiving FIPS 140-2 evaluation of
our SSL libraries provides not only a competitive edge for our products but
also a higher degree of assurance for our customers in deploying Oracle
products.
Is Oracle Advanced Security’s SSL adapter also included
in this FIPS evaluation?
No. Oracle SSL libraries that is only
included in Oracle Application Server 10g (9.0.4) alone has received this
FIPS 140-2 certification. We are considering evaluation of the Oracle SSL
libraries included in the Oracle Database at the earliest.
Does Oracle 10g Application Server install in FIPS
mode by default?
No. But, set the SQLNET.SSLFIPS parameter in the sqlnet.ora file to TRUE to
run the product in FIPS compliant mode: SQLNET.SSLFIPS_140=TRUE.
Are there any feature or function restrictions of
Oracle SSL library that result from running in FIPS mode?
No. There is no loss of functionality.
However, one of the following cipher suites (approved by NIST) must be used
in order to be running in a FIPS compliant mode.
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Can a certificate stored in a third party repository
such as Microsoft Certificate Store, Smart Cards or a Hardware Storage Module
and not provisioned using Oracle Wallet Manager be used to be compliant with
Oracle SSL libraries’ FIPS certification?
No. Since Oracle does not have any knowledge
of the cryptographic algorithms used to decrypt the private key in the
external stores, our FIPS certification does not include storing PKI
credentials in a third party repository. Provisioning certificates using Oracle Wallet Manager, that
is, creating certificate requests using Oracle Wallet Manager provides Oracle
assurance about the cryptographic algorithms involved. Therefore, in order to
be running in a FIPS compliant operation Oracle recommends using Oracle
Wallet Manager for certificate provisioning.
What components of Oracle Application
Server 10g can be configured to be FIPS compliant?
Any application module that uses SSL in
Oracle 10g Application Server can be configured to be FIPS compliant.
Specifically, the components are Oracle Http Server, Web Cache and Oracle
Internet Directory.
How do I configure these
components in Oracle Application Server 10g to run in FIPS mode?
A new parameter SQLNET.SSLFIPS_140=TRUE is added to the
sqlnet.ora file to configure the SSL libraries in FIPS mode. Ensure that the sqlnet.ora
file is either present under $ORACLE_HOME/network/admin directory or set the
environment variable TNS_ADMIN to point to the location of this file. Please also note that this parameter
must be added to the sqlnet.ora file using a regular text editor.
Top of
Page |Copyright and Corporate Info
|
Bookmark
