FIPS 140-2 Compliance in SSL/TLS and SSH Components

Requirements: One of the following libraries, but only for the specific OS/language combinations listed below.

Additionally, the Java edition requires Bouncy Castle FIPS to be downloaded and installed separately; for more information see the Java details below.

The following table lists the current language, OS and library FIPS compatability

Windows macOS/Linux
IPWorks SSL IPWorks SSH IPWorks SSL IPWorks SSH
.NET Framework
.NET Core, .NET Standard
C++, Python, Delphi, PHP
Java
JavaScript, Node.js

Contents

FIPS 140-2 Compatability

FIPS-compliant algorithms in IPWorks SSL and IPWorks SSH utilize the underlying operating system's certified APIs. Java editions, regardless of OS, utilize Bouncy Castle FIPS, while all the other Windows editions make use of Microsoft security libraries.

Using FIPS-compliant Libraries

C++

FIPS mode can be enabled in the C++ editions by setting the UseFIPSCompliantAPI configuration setting. This is a static setting which applies to all instances of all components of the toolkit within the process. It is recommended to enable or disable this setting once before the component has been used to establish a connection. Enabling FIPS while an instance of the component is active and connected may result in unexpected behavior.

For example:

Component.Config("UseFIPSCompliantAPI=true");

Note that this setting is only applicable on Windows.

.NET

FIPS compliance applies to all of the .NET binaries in our libraries, but only on Windows. FIPS mode can be enabled in the .NET editions by setting the UseFIPSCompliantAPI configuration setting. This is a static setting which applies to all instances of all components of the toolkit within the process. It is recommended to enable or disable this setting once before the component has been used to establish a connection. Enabling FIPS while an instance of the component is active and connected may result in unexpected behavior.

For example:

Component.Config("UseFIPSCompliantAPI=true");

Note that this setting is only applicable on Windows.

Java

The Java editions of IPWorks SSL and IPWorks SSH require installation of the FIPS certified Bouncy Castle library regardless of the target operating system. This can be downloaded from https://www.bouncycastle.org/fips-java/. Only the "Provider" library is needed. The jar file should then be installed in a JRE search path.

FIPS mode can be enabled in the Java editions by setting the UseFIPSCompliantAPI configuration setting. This is a static setting which applies to all instances of all components of the toolkit within the process. It is recommended to enable or disable this setting once before the component has been used to establish a connection. Enabling FIPS while an instance of the component is active and connected may result in unexpected behavior.

In the application where the component will be used the following classes must be imported:

import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;

The Bouncy Castle provider must be added as a valid provider and must also be configured to operate in FIPS mode:

System.setProperty("org.bouncycastle.fips.approved_only","true");
Security.addProvider(new BouncyCastleFipsProvider());

After the above configuration the component can be configured to use the FIPS compliant implementation like so:

Component.Config("UseFIPSCompliantAPI=true");

Licensing

Enabling FIPS-compliance requires a special license; please contact sales@nsoftware.com for details.

We appreciate your feedback.  If you have any questions, comments, or suggestions about this article please contact our support team at kb@nsoftware.com.