Skip Headers
Oracle® Application Server Security Guide
10g Release 2 (10.1.2)
B13999-03
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

A Oracle Application Server FIPS 140-2 Settings

Oracle Application Server 10g (9.0.4) received FIPS 140-2 Level 2 certification. The security policy for this certification is available at http://csrc.nist.gov/cryptval/140-1/140sp/140sp447.pdf.

This appendix describes how to configure Oracle Application Server components to comply with the FIPS 140-2 advanced security standard. For more information about this standard, refer to the Cryptographic Modules Validation Program Web site at the following address:

http://csrc.nist.gov/cryptval/

The following topics are covered in this appendix:

A.1 Configuration

Any component in any Oracle Application Server instance that uses SSL can be configured to be FIPS compliant. Specifically, the Oracle Application Server components that can be configured are:

The security policy document includes requirements for secure configuration of the host operating system.

A.1.1 Setting the SQLNET.SSLFIPS_140 Parameter

All of these components can be configured to run in FIPS mode by setting the SQLNET.SSLFIPS_140 parameter to TRUE in the sqlnet.ora file:

SQLNET.SSLFIPS_140=TRUE

By default, this parameter is set to FALSE.

Make sure that the sqlnet.ora file is either located in the ORACLE_HOME/network/admin directory, or is pointed to by the TNS_ADMIN environment variable. This procedure can be repeated in any Oracle home for any applicable component.


Note:

You must add or edit the SQLNET.SSLFIPS_140 parameter in the sqlnet.ora file with a text editor. You cannot use Oracle Net Manager to set this parameter.

A.1.2 Selecting Cipher Suites

A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth.

Only the cipher suites listed below are approved for FIPS validation:

  • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

  • SSL_DH_anon_WITH_DES_CBC_SHA

  • SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA

  • SSL_RSA_WITH_3DES_EDE_CBC_SHA

  • SSL_RSA_WITH_DES_CBC_SHA

  • SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

These SSL cipher suites are automatically configured for Oracle Internet Directory and mod_oc4j. For Oracle HTTP Server, specify the SSLCipherSuite directive in the corresponding httpd.conf file as follows:

SSLCipherSuite <FIPS_approved_cipher_suite[:additional_FIPS_approved_cipher_suites]>


See Also:

The "Using mod_ossl Directives" section in "Chapter 10, Managing Security" in the Oracle HTTP Server Administrator's Guide.

Please note that multiple cipher suites can be specified, delimited with the colon (:) character. In order to use the FIPS approved cipher suites for OracleAS Web Cache, ensure that the Strong Crypto option is not enabled.

If an application uses separate virtual hosts, ensure that the SSLCipherSuite directive is set appropraitely in the corresponding configuration file. For example, OracleAS Certificate Authority uses two additional virtual hosts, meaning the SSLCipherSuite directives in the ocm_apache.conf file (located in the same directory as the httpd.conf file) must be configured with the approved cipher suites.

A.2 Post-Installation Checks

After the installation, the following permissions must be verified in the operating system:

To comply with FIPS 140-2 Level 2 requirements, the system security policy must include procedures to prevent unauthorized users from reading, modifying, or executing Oracle Cryptographic Libraries processes and the memory those processes are using in the operating system.

A.3 Verifying FIPS Connections

To check if FIPS mode is enabled, tracing can be added to the sqlnet.ora file. FIPS self-tests messages can be found in the trace file. Add the following lines to sqlnet.ora to enable tracing:

trace_directory_server=<trace_dir>
trace_file_server=<trace_file>
trace_level_server=<trace_level>

For example:

trace_directory_server=/private/oracle/owm
trace_file_server=fips_trace.trc
trace_level_server=6

Trace level 6 is the minimum trace level required to check the results of the FIPS self-tests.