View Attach (1) Info

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
png
 Fips.png 442.4 kB 1 29-Dec-2020 05:25 Halmágyi Árpád

This page (revision-13) was last changed on 05-Mar-2021 02:07 by Ben Spink

This page was created on 29-Dec-2020 05:25 by Halmágyi Árpád

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 1 changed one line
This will guide will cover 64 bit Linux installation only.
This guide will cover 64 bit Linux installation only.
At line 3 changed one line
1.) First update the repo cache, then install the NSS package on the host
!!1.) First update the repo cache, then install the NSS package on the host
At line 6 added one line
{{{
At line 9 added one line
}}}
At line 12 added one line
{{{
At line 15 added one line
}}}
At line 13 changed one line
2.) Create the FIPS-140 compliant PKCS-11 cryto provider and security token
!!2.) Create the FIPS-140 compliant PKCS-11 cryto provider and security token
At line 17 changed one line
{{{
At line 24 added one line
}}}
At line 22 changed one line
{{{
At line 24 changed one line
}}}
At line 26 changed one line
{{{
At line 28 changed one line
}}}
At line 30 changed one line
{{{
At line 40 added one line
}}}
At line 39 changed one line
{{{
At line 41 changed one line
}}}
At line 45 changed one line
{{{
At line 47 changed one line
}}}
At line 50 changed one line
3.) Import or issue FIPS-140 compliant certificate
!!3.) Import or issue FIPS-140 compliant certificate
At line 53 changed one line
{{{
At line 55 changed one line
}}}
At line 59 changed one line
{{{
At line 68 added one line
}}}
At line 63 changed one line
4.) Configure Java crypto bridge for FIPS-140 mode
!!4.) Configure Java crypto bridge for FIPS-140 mode
At line 66 changed one line
{{{
At line 68 changed one line
}}}
At line 70 changed one line
{{{
At line 72 changed one line
}}}
At line 82 added one line
{{{
At line 94 added one line
}}}
At line 96 added one line
!!5.) Configure Crush
At line 88 removed 2 lines
5.) Configure Crush
At line 91 changed one line
{{{
At line 93 changed one line
}}}
At line 95 changed one line
{{{
At line 97 changed one line
}}}
At line 99 changed one line
{{{
At line 109 added 6 lines
}}}
then edit the main server config file prefs.XML
{{{
vi /var/opt/CrushFTP8_PC/prefs.XML
}}}
, locate and set the
At line 102 changed one line
then edit the main server config file prefs.XML , set the <fips140>false</fips140> key value to "true". After this step, before restarting the service, log in into the Webinterface as the main admin, navigate to Preferences->Encryption->SSL page
{{{<fips140>false</fips140>}}}
key value to
{{{true}}}
After this step, before restarting the service, log in into the Webinterface as the main admin, navigate to Preferences->Encryption->SSL page
At line 104 changed 4 lines
In both "Tls versions" fields leave only "TLSv1,TLSv1.1" , save.
<screencap image placeholder [1] >
In both "Tls versions" fields leave only "TLSv1,TLSv1.1" , save.\\
\\
[attachments|Fips.png]\\
\\
At line 109 changed one line
{{{
At line 111 changed one line
}}}
At line 115 removed one line
<screencap image placeholder [2] >
At line 121 changed 5 lines
- online updates won't work, for our update repo server is not running in FIPS compliant mode, can only use the manual update method ( from file)
- server to server connections against a non-FIPS compliant server won't work either, when using VFS proxy or CrushTask.
- ldaps:// connections for the SAML or LDAP Group plugin don't work as well unless the directory controller is also set to FIPS mode, the trusted cert needs to be imported into the PKCS11 trust store; plain ldap:// will work just fine
- some web browsers may not work with the FIPS compliant cypher set
- SSL cypher strength assessment will never give the server "A" or close rating, for many of the FIPS compliant cyphers are "B"-rated, or lower.
* online updates won't work, for our update repo server is not running in FIPS compliant mode, can only use the manual update method ( from file)\\
* server to server connections against a non-FIPS compliant server won't work either, when using VFS proxy or CrushTask.\\
* ldaps:// connections for the SAML or LDAP Group plugin don't work as well unless the directory controller is also set to FIPS mode, the trusted cert needs to be imported into the PKCS11 trust store; plain ldap:// will work just fine\\
* some web browsers may not work with the FIPS compliant cypher set\\
* SSL cypher strength assessment will never give the server "A" or close rating, for a few of the FIPS compliant cyphers are "B"-rated, or lower.\\
At line 127 changed one line
[attachments|Fips.png]
Version Date Modified Size Author Changes ... Change note
13 05-Mar-2021 02:07 7.856 kB Ben Spink to previous
12 29-Dec-2020 05:25 7.853 kB Ben Spink to previous | to last
11 29-Dec-2020 05:25 7.777 kB Ben Spink to previous | to last
10 29-Dec-2020 05:25 6.741 kB Ben Spink to previous | to last
9 29-Dec-2020 05:25 6.598 kB Ben Spink to previous | to last
8 29-Dec-2020 05:25 6.53 kB Ben Spink to previous | to last
7 29-Dec-2020 05:25 6.553 kB Ada Csaba to previous | to last
6 29-Dec-2020 05:25 6.251 kB Ada Csaba to previous | to last
5 29-Dec-2020 05:25 5.913 kB Ada Csaba to previous | to last
4 29-Dec-2020 05:25 5.893 kB Ada Csaba to previous | to last
3 29-Dec-2020 05:25 5.728 kB Ada Csaba to previous | to last FIPS ==> FIPS-140-2 Compliant Mode
2 29-Dec-2020 05:25 5.728 kB Ada Csaba to previous | to last
1 29-Dec-2020 05:25 5.581 kB Halmágyi Árpád to last
« This page (revision-13) was last changed on 05-Mar-2021 02:07 by Ben Spink
G’day (anonymous guest)
CrushFTP10 | What's New

Referenced by
LeftMenu

JSPWiki