SSL FIPS 140-2 Standard for Oracle Fusion Middleware 11g - OHS, WLS, OPSS, OWSM 10.3.6/11.1.1.9 (Doc ID 2115681.1)

Last updated on DECEMBER 21, 2022

Applies to:

Oracle HTTP Server - Version 11.1.1.9.0 to 11.1.1.9.0 [Release Oracle11g]
Oracle WebLogic Server - Version 10.3.6 to 10.3.6
Oracle Platform Security for Java - Version 11.1.1.9.0 to 11.1.1.9.0 [Release Oracle11g]
Oracle Web Services Manager - Version 11.1.1.9.0 to 11.1.1.9.0 [Release 11g]
Information in this document applies to any platform.

Details

This has been a post-release certification where patches and steps are required when configuring SSL to meet FIPS 140-2 standards.

See the below information for the patching requirements for OHS, WLS, OPSS and OWSM.

Actions

Oracle HTTP Server 11.1.1.9

Configuring the Oracle HTTP Server (OHS) 11.1.1.9 for FIPS 140-2 (aka SSLFIPS) is now documented in the following locations:

Oracle Fusion Middleware Administrator's Guide (11.1.1.9)
- Chapter 9, "FIPS 140 Support in Oracle Fusion Middleware"
https://docs.oracle.com/middleware/11119/core/ASADM/fips.htm#ASADM11922
- Section I.2.4.1, "Creating and Viewing Oracle Wallets with orapki"
https://docs.oracle.com/middleware/11119/core/ASADM/walletmgr.htm#ASADM10625

Oracle HTTP Server Administrator's Guide (11.1.1.9)
- Section E.4.6 SSLFIPS and Table E-3, "Cipher Suites Supported by SSLFIPS"
https://docs.oracle.com/middleware/11119/webtier/administer-ohs/directives.htm#HSADM1124

Configuration to comply with FIPS 140-2 standards is essentially an "SSLFIPS On" setting while meeting other certificate, protocol and cipher configuration requirements as documented.

Note: This is only for 11.1.1.9, reference <Note 2041410.1> - Support Status of New SSL Features Released with Oracle HTTP Server and Oracle Web Cache 11.1.1.9

Platforms supported for Oracle HTTP Server 11g (11.1.1.9) configured for FIPS 140-2 standards:

Linux x86-64, Linux x86, Windows 64-bit, Solaris SPARC 64, Solaris x86-64, HP Itanium 64, HP-PA RISC 64, and IBM AIX 64

The below patches are required in the following order before beginning the steps to use orapki and configure ssl.conf/admin.conf:

Component	Patch	Patch Description on My Oracle Support	Additional Comments
Oracle HTTP Server (11.1.1.9)	<Patch 33311587>	OHS 11.1.1.9.0 SPU for CPUOct2021	All platforms. Update: This patch supersedes the original <Patch 19571821>. Previous patches mentioned here are superseded and fixes for FIPS are now planned to be included in Critical Patch Updates beginning with CPUJan2018 (<Patch 27301611>) and newer. The following should be listed in the Readme's Bugs Fixed list to be sure: 19571821 - PERFORM FIPS VALIDATION / CERTIFICATION WITH OHS 11.1.1.9 Oct 2021 is the final security patch for OHS 11.1.1.9. This and other patches can be found in Doc ID 2796575.1. Updated cipher standards should be followed from Doc ID 2314658.1. As referenced from Critical Patch Updates, ensure to also follow steps Doc ID 2626956.1 Cumulative README Post-Install Steps for Oracle HTTP Server 11.1.1.9 Critical Patch Update.
SSL/Networking	<Patch 21625529>	ADD FIPS SUPPORT IN ORAPKI	All platforms. Generic patch for orapki utility. Follow readme for oracle_common.
SSL/Networking	<Patch 22635957>	PS7: AIX: PACKAGING FIX REQUIRED FOR PATCHING NZ OBJECTS	IBM AIX 64 only.
SSL/Networking	<Patch 21974584>	TRACKING BUG TO SHIP CORRECT MES LIBRARIES ON PLATFORMS	All platforms except Linux x86-64 and Windows 64-bit.
SSL/Networking	<Patch 32287205>	OSS BUNDLE PATCH 11.1.1.9.210420	All platforms. This patch supersedes the original <Patch 21557250> TRACKING BUG TO CONSOLIDATE ALL THE PS7 FIPS FIXES" in order to merge with Critical Patch Updates.