X

News, tips, partners, and perspectives for the Oracle Linux operating system and upstream Linux kernel work

  • October 30, 2017

MONDAY SPOTLIGHT: Oracle Linux 6 and 7 OpenSSL and OpenSSH Attain FIPS 140-2 Level 1 Certification

Scott Lynn
Director of Product Management GraalVM

In response to customer requests for the FIPS 140 validation of the cryptographic modules used by Oracle Linux, Oracle is pleased to announce that the Oracle Linux 6 and 7 OpenSSL and OpenSSH have each achieved a FIPS 140-2 validation with overall compliance at Level 1 of the FIPS standard. Conformance with the FIPS 140-2 standard provides assurance to government and industry purchasers that products are correctly implementing cryptographic functions as the FIPS 140-2 standard specifies. The certificate numbers are:

  • #3017 - Oracle Linux OpenSSL Cryptographic Module
  • #3028 - Oracle Linux 7 OpenSSH Server Cryptographic Module
  • #3030 - Oracle Linux 6 OpenSSH Client Cryptographic Module
  • #3031 - Oracle Linux 6 OpenSSH Server Cryptographic Module
  • #3032 - Oracle Linux 7 OpenSSH Client Cryptographic Module

Oracle Linux cryptographic modules enable FIPS 140 compliant operations for key use cases such as data protection and integrity, remote administration (SSH, HTTPS TLS, SNMP, and IPSEC), cryptographic key generation and key/certificate management. Oracle Linux’s cryptographic modules have been certified meeting FIPS 140 validation. We still have other modules under test. Certification status of modules still under test can be verified at the U.S. Cryptographic Module Validation Program site:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140IUT.pdf

About FIPS 140-2

FIPS 140-2 is a mandatory public sector procurement requirement in both the United States and Canada for any product claiming or providing encryption.

The FIPS 140-2 program is jointly administered by the US and Canada. In the US, the program is administered by NIST (National Institute of Standards and Technology) through the CMVP (Cryptographic Module Validation Program). In Canada, the program is administered by the Communications Security Establishment of the Government of Canada (CSEC). Oracle recognizes that the FIPS 140-2 validation of cryptographic modules is important to many customers.  For more information on this standard, see: http://csrc.nist.gov/publications/PubsFIPS.html.  For more information on the FIPS 140-2 Cryptographic Module Validation Program (CMVP), see: http://csrc.nist.gov/groups/STM/cmvp

Oracle’s Commitment to FIPS 140-2

For more information on Oracle’s participation in the FIPS 140-2 validation program, please visit the main FIPS 140-2 information page . For a complete list of Oracle products with FIPS 140-2 validations and Common Criteria certifications, please see the Security Evaluations website.

Oracle includes FIPS 140-2 Level 1 validated cryptography into Oracle Linux 6 and Oracle Linux 7 on x86-64 containing Red Hat Compatible Kernel and Oracle’s Unbreakable Enterprise Kernel.  The platforms targeted for FIPS 140 validation testing include Oracle Linux 6.9 running on an x86-64 processor and Oracle Linux 7.3 running on an x86-64 processor.  Oracle “vendor affirms” that the FIPS validation will be maintained on all other x86-64 equivalent hardware. Oracle will deliver software updates, if necessary, to address bug fixes and security vulnerabilities. However, it is Oracle's sole discretion to re-certify its FIPS 140 validated cryptographic modules.  The re-certifications are dependent upon the package releases of the Linux open source community.

The packages that are FIPS 140-2 level 1 certified for Oracle Linux 6 and Oracle Linux 7 are: 

Once the packages are installed, you can enable FIPS mode by following the Oracle Linux documentation:

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha