How To Setup Federal Information Processing Standard (FIPS) standard for 140-2 Using FIPS.ORA On Single Instance and On RAC ( Real Application Cluster)
(Doc ID 2250070.1)
Last updated on APRIL 18, 2024
Applies to:
Gen 1 Exadata Cloud at Customer (Oracle Exadata Database Cloud Machine) - Version N/A and laterOracle Cloud Infrastructure - Database Service - Version N/A and later
Oracle Database Backup Service - Version N/A and later
Oracle Database Exadata Express Cloud Service - Version N/A and later
Oracle Database Cloud Exadata Service - Version N/A and later
Information in this document applies to any platform.
Goal
This article demonstrates how to enable Federal Information Processing Standard (FIPS) standard for 140-2 through FIPS.ORA in Single Instance and In RAC ( Real Application Cluster )
You can refer following documentation links for references.
1) Oracle database 11G Release 1
2) Oracle database 11G Release 2
3) Oracle database 12C Release 1
4) Oracle database 12C Release 2
More about FIPS ?
The FIPS 140-2 cryptographic libraries are designed to protect data at rest and in transit over the network.
You can configure Oracle Database for the Federal Information Processing Standard (FIPS), for the current standard, 140-2. FIPS is a U.S. government standard that defines security requirements for cryptographic modules.
Oracle Database uses these cryptographic libraries for Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and DBMS_CRYPTO PL/SQL package.
To verify the current status of the certification, you can find information at the Computer Security Resource Center ( CSRC ) Web site address from the National Institute of Standards and Technology:
Requirements to configure the FIPS on Database Side
1) The DBFIPS_140 initialization parameter should be set to TRUE ; This is a static parameter and hence requires the restart of the database.
DBFIPS_140=TRUE
2)
- Ensure that the fips.ora file is either located in the $ORACLE_HOME/ldap/admin directory, or is in a location pointed to by the FIPS_HOME environment variable. If file does NOT exist then create it ; it is simple text file.
- In the fips.ora file, set SSLFIPS_140.
For example, to set SSLFIPS_140 to TRUE:
SSLFIPS_140=TRUE
- This should be done at both client and server side.
3) SSL Cipher Suites ; we will use SSL_RSA_WITH_3DES_EDE_CBC_SHA in our example following suites for FIPS 140-2 are available.
4) listener is configured using SSL i.e. TCP/IP with SSL (TCPS) protocol
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |
References |