On Sun, Mar 16, 2014 at 5:49 AM, srikanth <skanth2...@gmail.com> wrote:
> Hi,
>
> We are working on making our application FIPS 140-2 Compliant.
There's no such thing as FIPS Compliant. You use validated
cryptography, or you don't use validated cryptography.
If your marketing department calls your product FIPS
{Compliant|Compatible|Approved|...}, then DHS auditors will reject
your product because you're not using validated cryptography.
> We use Cent
> OS 6.4, does the OPENSSL bundled with the CENT OS 6.4 is already a FIPS
> Compliant?.
You need to check the OpenSSL Security Policy and User Guide to ensure
your platform is validated. Check the table that start on page 30 in
the User Guide at http://www.openssl.org/docs/fips/UserGuide-2.0.pdf.
> What all we need to do to make our application running on CENT
> OS 6.4 to make it FIPS Compliant. I see some posts which talks about
> enabling the FIPS mode while starting the kernal (fips=1) and setting the
> FIPS environment variable to force the openssl to run in fips mode. How do
> we make Java to run in FIPS mode which also does encryption and decryption
> internally.
OpenSSL is a C library, not a Java library. Are you using bindings or JNI?
With Java, you often go to someone who provides a Java library such as
BSAFE. You can see the list of approved modules at
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.
> If we need to build a RPM of OPENSSL with FIPS what is the process to build.
> Do I need to build both fips module and openssl module by editing the
> openssl.spec file to build both.
See the Security Policy and User Guide.
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.pdf and
http://www.openssl.org/docs/fips/UserGuide-2.0.pdf
Jeff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
