FIPS 140-2 Compliance
FIPS 140–2 Compliance for Database Encryption
On specific platforms, InterSystems IRIS® data platform supports FIPS 140–2 compliant cryptography for database encryption. (FIPS 140–2 refers to Federal Information Processing Standard Publication 140-2, which is available at https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402.pdfOpens in a new tab. )
This version of InterSystems IRIS supports FIPS 140-2–compliant cryptography for database encryption on Red Hat Enterprise Linux 8 for x86-64. Red Hat has certificates of validation for the OpenSSL libcrypto.so and libssl.so libraries. When running in FIPS mode, InterSystems IRIS uses these certified libraries. To determine if a minor version of Red Hat Linux has current certification, consult the Red Hat documentationOpens in a new tab.
With FIPS mode enabled, Red Hat 8 supports only TLSv1.2 and TLSv1.3.
For information about Red Hat support for government standards, see https://access.redhat.com/articles/2918071Opens in a new tab.
InterSystems IRIS containers are not compatible with FIPS-enabled hosts. Do not run an InterSystems IRIS container or install InterSystems IRIS in a container on a FIPS-enabled host.
Enabling FIPS Support
To enable InterSystems IRIS support for FIPS 140–2 compliant cryptography for database encryption, do the following:
-
Download and install the openssl package from the RedHat repository (rhel-8-server-rpms).
-
Enable FIPS mode for the operating system. For these instructions, see the article How can I make RHEL 6/7/8 FIPS 140-2 compliant?Opens in a new tab on the Red Hat web site. (Access to this article requires Red Hat login credentials.)
-
Check the directory /usr/lib64 for the following symbolic links. If these do not exist, create them:
-
The symbolic link libssl.so.1.1 should point to the appropriate file (such as libssl.so.1.1.1g) in the same directory.
-
The symbolic link libcrypto.so.1.1 should point to the appropriate file (such as libcrypto.so.1.1.1g) in the same directory.
-
-
In InterSystems IRIS, specify the FIPSMode CPF parameter as True (1). To do so:
-
Open the Management Portal.
-
Select System Administration > Configuration > Additional Settings > Startup.
Here you will see a row for FIPSMode.
-
Specify the value for FIPSMode as True and save your change.
-
-
Restart InterSystems IRIS.
-
Enable and configure encrypted databases as outlined in Using Encrypted Databases.
Startup Behavior and messages.log
When InterSystems IRIS is started:
-
If FIPSMode is 0, InterSystems IRIS native cryptography is used, including optimized assembly code using Intel AES-NI hardware instructions, if supported by the CPU. In this mode, InterSystems IRIS writes the following to messages.log upon startup:
FIPS 140-2 compliant cryptography for database encryption is not configured in iris.cpf
-
If FIPSMode is 1, InterSystems IRIS attempts to resolve references to functions in the /usr/lib64/libcrypto.so FIPS-validated library, and then attempts to initialize the library in FIPS mode. If these steps are successful, InterSystems IRIS writes the following to messages.log:
FIPS 140-2 compliant cryptography for database encryption is enabled for this instance.
-
If FIPSMode is 1, but the initialization of the library is unsuccessful, InterSystems IRIS does not start. In this case, messages.log contains the following message:
FIPS 140-2 compliant cryptography for database encryption initialization failed. Aborting.
-
On platforms other than lnxrhx64, if FIPSMode is 1, InterSystems IRIS native cryptography is used, and InterSystems IRIS writes the following to messages.log:
FIPS 140-2 compliant cryptography for database encryption is not supported on this platform.