Configuring Reflection for Secure IT Server and Client for UNIX for FIPS 140-2 Validated Operation

  • 7021942
  • 02-Apr-2009
  • 02-Mar-2018

Environment

Reflection for Secure IT UNIX Server version 7.1 or higher
Reflection for Secure IT UNIX Client version 7.1 or higher

Situation

This technical note describes how to configure Reflection for Secure IT Server and Client for UNIX so that they operate in a FIPS 140-2 validated state.


Resolution

Configuring FIPS Mode on the Server

To configure the server for FIPS:

  1. Open the server configuration file (/etc/ssh2/sshd2_config) in a text editor.
  2. Remove gssapi-with-mic from the AllowedAuthentications keyword and uncomment the line as shown below:
AllowedAuthentications=publickey,keyboard-interactive,password
  1. Set FipsMode to yes and uncomment the line as shown below.
FipsMode=yes
  1. Because Reflection for Secure IT cannot verify the FIPS status of SecurID, GSSAPI, and RADIUS binaries, these authentication methods need to be manually disabled by the system administrator if they are not FIPS validated. To ensure that you have disabled all PAM authentication methods that are not FIPS validated, disable PAM as shown below.
UsePAM=no
  1. Save the updated configuration file.
  2. Restart the server.

Note: If you change the FipsMode setting on the server, you need to restart the server for the change to take full effect. A SIGHUP signal puts new sessions into FIPS-mode, but does not affect existing connections.

Configuring FIPS Mode on the Client

To configure the client for FIPS:

  1. Open the client configuration file (/etc/ssh2/ssh2_config) in a text editor.
  2. Set FipsMode to yes as shown below, then save the file.
FipsMode=yes

Generating FIPS-compliant Keys

By default Reflection for Secure IT creates a RSA 2048-bit host key, which is a FIPS-approved key strength. If you use the ssh-keygen utility to generate additional public/private key pairs, and specify no options, ssh-keygen generates a 2048-bit RSA key pair. If you specify non-default key type and key length values, you can ensure that these keys are FIPS-compliant by using the -f option. This option enforces key creation using FIPS-approved key strength, as shown in this example.

ssh-keygen -f -t dsa -b 2048
FIPS mode: Invalid value for 'key-length':
DSA keys must be 1024 bits in FIPS mode.

Note: The output of the ssh-keygen is not affected by the FIPSMode keyword. Even if FIPSMode=yes, you should use the -f switch to ensure that keys you create meet FIPS requirements.

Additional Information

To view the certificate and security policy for the Attachmate Cryptographic Module used by Reflection for Secure IT, see the Computer Security Division: Computer Security Resource Center on the NIST website:

Supported Ciphers, Macs, and Key Strength

When FIPS mode is enabled, Reflection for Secure IT enforces the following:
  • Supported ciphers: aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-cbc
  • Supported Macs: hmac-sha256,hmac-sha1,hmac-sha512
  • DSA keys must be 1024 bits.
  • RSA keys must be between 1024 and 8192 bits.

Legacy KB ID

This document was originally published as Attachmate Technical Note 2389.