FIPS 140-2 Compliance in SSL/TLS, SSH, SMIME and Cloud Components
Requirements: One of the following libraries, but only for the specific OS/language combinations listed below.
- IPWorks
- IPWorks Encrypt
- IPWorks PGP
- IPWorks SMIME
- IPWorks SSL
- IPWorks SSH
- Cloud Keys
- Cloud Mail
- Cloud Storage
Additionally, the Java edition requires Bouncy Castle FIPS to be downloaded and installed separately; for more information see the Java details below.
The following table lists the current language, OS and library FIPS compatability
| Windows | macOS/Linux | |
|---|---|---|
| .NET Framework | ||
| .NET Core, .NET Standard | ||
| C++, Python, Delphi, PHP | ||
| Java | ||
| JavaScript, Node.js |
Contents
FIPS 140-2 Compatability
FIPS-compliant algorithms in IPWorks SSL and IPWorks SSH utilize the underlying operating system's certified APIs. Java editions, regardless of OS, utilize Bouncy Castle FIPS, while all the other Windows editions make use of Microsoft security libraries.
Using FIPS-compliant Libraries
C++
FIPS mode can be enabled in the C++ editions by setting the UseFIPSCompliantAPI configuration
setting. This is a static setting which applies to all instances of all components of the toolkit within the
process. It is recommended to enable or disable this setting once before the component has been used to
establish a connection. Enabling FIPS while an instance of the component is active and connected may result in
unexpected behavior.
For example:
Component.Config("UseFIPSCompliantAPI=true");
Note that this setting is only applicable on Windows.
.NET
FIPS compliance applies to all of the .NET binaries in our libraries, but only on Windows.
FIPS mode can be enabled in the .NET editions by setting the UseFIPSCompliantAPI configuration
setting. This is a static setting which applies to all instances of all components of the toolkit within the
process. It is
recommended to enable or disable this setting once before the component has been used to establish a connection.
Enabling
FIPS while an instance of the component is active and connected may result in unexpected behavior.
For example:
Component.Config("UseFIPSCompliantAPI=true");
Note that this setting is only applicable on Windows.
Java
The Java editions of IPWorks SSL and IPWorks SSH require installation of the FIPS certified Bouncy Castle library regardless of the target operating system. This can be downloaded from https://www.bouncycastle.org/fips-java/. Only the "Provider" library is needed. The jar file should then be installed in a JRE search path.
FIPS mode can be enabled in the Java editions by setting the UseFIPSCompliantAPI configuration setting. This is a static setting which applies to all instances of all components of the toolkit within the process. It is recommended to enable or disable this setting once before the component has been used to establish a connection. Enabling FIPS while an instance of the component is active and connected may result in unexpected behavior.
In the application where the component will be used the following classes must be imported:
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
The Bouncy Castle provider must be added as a valid provider and must also be configured to operate in FIPS mode:
System.setProperty("org.bouncycastle.fips.approved_only","true");
Security.addProvider(new BouncyCastleFipsProvider());
When UseFIPSCompliantAPI is true, SSL enabled classes can optionally be configured to use the TLS Bouncy Castle library. When SSLProvider is set to sslpAutomatic (default) or sslpInternal an internal TLS implementation is used, but all cryptographic operations are offloaded to the BCFIPS provider in order to achieve FIPS compliant operation. If SSLProvider is set to sslpPlatform the Bouncy Castle JSSE will be used in place of the internal TLS implementation.
To enable the use of the Bouncy Castle JSSE take the following steps in addition to the steps above. Both the Bouncy Castle FIPS provider and the Bouncy Castle JSSE must be configured to use the Bouncy Castle TLS library in FIPS mode. Obtain the Bouncy Castle TLS library from https://www.bouncycastle.org/fips-java/. The jar file should then be installed in a JRE search path.
In the application where the component will be used the following classes must be imported:
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
//required to use BCJSSE when SSLProvider is set to sslpPlatform
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
The Bouncy Castle provider must be added as a valid provider and must also be configured to operate in FIPS mode:
System.setProperty("org.bouncycastle.fips.approved_only","true");
Security.addProvider(new BouncyCastleFipsProvider());
//required to use BCJSSE when SSLProvider is set to sslpPlatform
Security.addProvider(new BouncyCastleJsseProvider("fips:BCFIPS"));
//optional - configure logging level of BCJSSE
Logger.getLogger("org.bouncycastle.jsse").setLevel(java.util.logging.Level.OFF);
//configure the class to use BCJSSE
component.setSSLProvider(1); //platform
component.config("UseFIPSCompliantAPI=true");
Note: TLS 1.3 support requires the Bouncy Castle TLS library version 1.0.14 or later.
After the above configuration the component can be configured to use the FIPS compliant implementation like so:
Component.Config("UseFIPSCompliantAPI=true");
Licensing
Enabling FIPS-compliance requires a special license; please contact sales@nsoftware.com for details.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at kb@nsoftware.com.