At line 1 changed one line |
This will guide will cover 64 bit Linux installation only. |
This guide will cover 64 bit Linux installation only. |
At line 3 changed one line |
1.) First update the repo cache, then install the NSS package on the host |
!!1.) First update the repo cache, then install the NSS package on the host |
At line 6 added one line |
{{{ |
At line 9 added one line |
}}} |
At line 12 added one line |
{{{ |
At line 15 added one line |
}}} |
At line 13 changed one line |
2.) Create the FIPS-140 compliant PKCS-11 cryto provider and security token |
!!2.) Create the FIPS-140 compliant PKCS-11 cryto provider and security token |
At line 17 changed one line |
|
{{{ |
At line 24 added one line |
}}} |
At line 22 changed one line |
|
{{{ |
At line 24 changed one line |
|
}}} |
At line 26 changed one line |
|
{{{ |
At line 28 changed one line |
|
}}} |
At line 30 changed one line |
|
{{{ |
At line 40 added one line |
}}} |
At line 36 changed one line |
On Debian/Ubuntu the NSS libraries are located at /usr/lib/x86_64-linux-gnu/nss |
On Debian/Ubuntu the NSS libraries are located at /usr/lib/x86_64-linux-gnu/nss. It may be different on various versions of same operating system, best to locate the "libnss3.so" kernal module , the "nssLibraryDirectory" path has to point to it's parent directory. |
At line 39 changed one line |
|
{{{ |
At line 41 changed one line |
|
}}} |
At line 45 changed one line |
|
{{{ |
At line 47 changed one line |
|
}}} |
At line 50 changed one line |
3.) Import or issue FIPS-140 compliant certificate |
!!3.) Import or issue FIPS-140 compliant certificate |
At line 53 changed one line |
|
{{{ |
At line 55 changed one line |
|
}}} |
At line 59 changed one line |
|
{{{ |
At line 68 added one line |
}}} |
At line 63 changed one line |
4.) Configure Java crypto bridge for FIPS-140 mode |
!!4.) Configure Java crypto bridge for FIPS-140 mode |
At line 66 changed one line |
|
{{{ |
At line 68 changed one line |
|
}}} |
At line 70 changed one line |
|
{{{ |
At line 72 changed one line |
|
}}} |
At line 82 added one line |
{{{ |
At line 94 added one line |
}}} |
At line 96 added one line |
!!5.) Configure Crush |
At line 88 removed 2 lines |
5.) Configure Crush |
|
At line 91 changed one line |
|
{{{ |
At line 93 changed one line |
|
}}} |
At line 95 changed one line |
|
{{{ |
At line 97 changed one line |
|
}}} |
At line 99 changed one line |
|
{{{ |
At line 109 added 6 lines |
}}} |
then edit the main server config file prefs.XML |
{{{ |
vi /var/opt/CrushFTP8_PC/prefs.XML |
}}} |
, locate and set the |
At line 102 changed one line |
then edit the main server config file prefs.XML , set the <fips140>false</fips140> key value to "true". After this step, before restarting the service, log in into the Webinterface as the main admin, navigate to Preferences->Encryption->SSL page |
{{{<fips140>false</fips140>}}} |
key value to |
{{{true}}} |
After this step, before restarting the service, log in into the Webinterface as the main admin, navigate to Preferences->Encryption->SSL page |
At line 104 changed 4 lines |
In both "Tls versions" fields leave only "TLSv1,TLSv1.1" , save. |
|
<screencap image placeholder [1] > |
|
In both "Tls versions" fields leave only "TLSv1,TLSv1.1" , save.\\ |
\\ |
[attachments|Fips.png]\\ |
\\ |
At line 109 changed one line |
|
{{{ |
At line 111 changed one line |
|
}}} |
At line 115 removed one line |
<screencap image placeholder [2] > |
At line 121 changed 5 lines |
- online updates won't work, for our update repo server is not running in FIPS compliant mode, can only use the manual update method ( from file) |
- server to server connections against a non-FIPS compliant server won't work either, when using VFS proxy or CrushTask. |
- ldaps:// connections for the SAML or LDAP Group plugin don't work as well unless the directory controller is also set to FIPS mode, the trusted cert needs to be imported into the PKCS11 trust store; plain ldap:// will work just fine |
- some web browsers may not work with the FIPS compliant cypher set |
- SSL cypher strength assessment will never give the server "A" or close rating, for many of the FIPS compliant cyphers are "B"-rated, or lower. |
* online updates won't work, for our update repo server is not running in FIPS compliant mode, can only use the manual update method ( from file)\\ |
* server to server connections against a non-FIPS compliant server won't work either, when using VFS proxy or CrushTask.\\ |
* ldaps:// connections for the SAML or LDAP Group plugin don't work as well unless the directory controller is also set to FIPS mode, the trusted cert needs to be imported into the PKCS11 trust store; plain ldap:// will work just fine\\ |
* some web browsers may not work with the FIPS compliant cypher set\\ |
* SSL cypher strength assessment will never give the server "A" or close rating, for a few of the FIPS compliant cyphers are "B"-rated, or lower.\\ |
At line 127 changed one line |
[attachments|Fips.png] |
|