I came across this FIPS topic on introduction of Mozilla NSS in our organisation (we have a fairly detailed procedure when new FOSS software is introduced.)
To answer the question, ActiveMQ isn't on the published lists, so the answer is no -a product is not compliant until it has been certified as such. Once a module is validated, then it's on the validated lists: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm However, I would question whether ActiveMQ needs to be - perhaps a "FIPS mode" would suffice. Consider NSS. Now it's validated - FIPS 140-2 compliant. So Firefox has a FIPS mode. Once you have a password for your "encryption device" you can turn on FIPS mode. ActiveMQ - like Firefox -doesn't itself own or develop any cryptographic modules. At a simple level, for encrypted passwords, the Apache V2-licensed jasypt library is used http://www.jasypt.org Jasypt relies on JCE. You can see on csrc.nist.gov which JCE modules have been validated as compliant. Note the concept of "FIPS mode" - explained well here: https://developer.mozilla.org/en/NSS/FIPS_Mode_-_an_explanation ----- Michael Hayes B.Sc. (NUI), M.Sc. (DCU), SCSA SCNA -- View this message in context: http://activemq.2283324.n4.nabble.com/FIPS-140-2-tp4653345p4653436.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.
