Administer > System Security > FIPS mode

FIPS mode

FIPS (Federal Information Processing Standards) are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within U.S. non-military government agencies and by U.S. government contractors and vendors who work with the agencies.

FIPS 140-2, “Security Requirements for Cryptographic Modules,” was issued by the U.S. National Institute of Standards and Technology (NIST) in May, 2001. The standard specifies the security requirements for cryptographic modules utilized within a security system that protects sensitive or valuable data.

As of version 9.32, Service Manager is FIPS 140-2 compliant when running in FIPS mode. The following table describes two operation modes of the Service Manager server and clients.

Operation mode Description

FIPS mode

(FIPS 140-2 compliant mode)

Supports FIPS 140-2 compliant cryptographic functions.

Standard mode

(Non-FIPS 140-2 compliant mode)

Utilizes existing cryptography without the 3rd-party FIPS 140-2 validated cryptographic modules.

To support FIPS mode, the Service Manager server and clients have introduced the following changes as of version 9.32.

Note If the FIPS mode is enabled, the encrypted fields cannot be retrieved via the legacy listener.

Server side

Out-of-the-box, the Service Manager server uses a 3rd-party FIPS 140-2 validated cryptographic module, OpenSSL FIPS Object Module. Additional changes are listed in the following table.

Item Description
AES encryption algorithm

Service Manager provides the function to encrypt table fields. Prior to version 9.32, Service Manager uses the Data Encryption Standard (DES) encryption algorithm, which is not FIPS-compliant.

As of version 9.32, when running in FIPS mode, Service Manager uses the Advanced Encryption Standard (AES) encryption algorithm, which is FIPS 140-2 compliant. After enabling FIPS mode, you must upgrade your database's encryption algorithm from DES to AES by running the sm -upgradeencralg command. For details, see Configure FIPS mode in Service Manager.

Additional support of 256-bit database encryption keys

Prior to version 9.32, Service Manager only supports 64-bit database encryption keys.

As of version 9.32, Service Manager supports 64-bit keys in non-FIPS mode and 256-bit keys in FIPS mode.

The fipsmode parameter

This server parameter determines whether the server runs in FIPS or non-FIPS mode when set to 1 or 0:

  • 1 (FIPS mode): All Service Manager servers and clients run in FIPS mode (for example, a pre-9.32 client, which does not support FIPS mode, can no longer connect to the SM9.32 server).
  • 0 (default, non-FIPS mode): All Service Manager servers and clients run in non-FIPS mode (for example, a pre-9.32 client can still connect to an SM9.32 or later server). In this mode, Service Manager keeps the same data encryption/decryption behavior as in previous versions.

Note In a horizontal scaling environment, you must set this parameter to the same value (either 1 or 0) on all server nodes.

Additional OpenSSL libraries (Windows server)

In addition to libeay32.dll, Service Manager has introduced libeay32_fba.dll and libeay32_rba.dll:

  • libeay32_fba.dll: A copy of libeay32.dll for backup purposes.
  • libeay32_rba.dll: A variant of libeay32.dll, with a relocatable base address. If the system fails to load the default dll (libeay32.dll), copy this file to libeay32.dll.

Client side

Out-of-the-box, the Windows and web clients use a 3rd-party FIPS 140-2 validated cryptographic module, RSA BSAFE Crypto-J. To allow administrators to enable FIPS mode, the web and Windows clients have introduced the following parameters or security preference options.

Client New Parameters
Web (web.xml)
  • JCEProviderName
  • JCEProviderClassName
Windows ( Window > Preferences > HPE Service Manager > Security)
  • JCE provider name
  • JCE provider class name