FIPS Compliance for VEN
This section describes the operational requirements for compliance with Federal Information Processing Standard (FIPS) 140-2 for the VEN.
The candidate VEN version is Windows 10 Enterprise.
FIPS Prerequisites
Red Hat 7.9.
Red Hat 8.2.
The VEN will be FIPS compliant on later versions of Red Hat 8.x as Red Hat completes the FIPS certification process.
Windows Server 2012 R2, 2016, and 2019.
Enable Red Hat Linux VEN FIPS Compliance
All VEN OpenSSL communications by default operate in a FIPS-compliant mode.
Before activating the VEN, configure FIPS mode as described in RHEL 8, Section 9.1 ("Crypto Officer Guidance") of Red Hat Enterprise Linux 8 OpenSSL Cryptographic Module v8.0.
After the system starts, check that FIPS mode is enabled:
$ fips-mode-setup --checkFIPS mode is enabled.Activate the VEN.
Note
OpenSSL 3.0 module used on Red Hat 7 is in process for FIPS validation, but is not yet certified. The VEN will become FIPS compliant as soon as the OpenSSL module is certified.
Note
The SecureConnect feature is not FIPS compliant with RHEL 7.4 or RHEL 7.9.
Enable Windows VEN FIPS Compliance
Windows 10 Enterprise must be configured conforming with Section 2 of the NIST Microsoft Windows FIPS 140 Validation Security Policy Document.
Windows Server 2012, Windows Server 2016, Windows 7, and Windows 10 must be configured according to the following vendor documents:
Windows 2012 conforming with Section 2 of the Windows Server 2012 NIST Security Policy
Windows 2016 conforming with Section 2 of the Windows Server 2016 NIST Security Policy
Enable FIPS Compliance for Windows VENs
Windows VEN is FIPS compliant when installed on Windows 10 Enterprise.
Windows VEN is FIPS compliant when installed on Windows Server 2012 or Windows Server 2016.
Before activating the VEN, configure FIPS mode as described in the documentation provided by Microsoft. See "Step 3: Enable the FIPS security policy" in FIPS 140-2 Validation on the Microsoft Learn website.
Activate the VEN.
VENs on RHEL8 and OpenSSL CVEs
VENs installed on RHEL 8 use the OpenSSL package that is installed as part of the OS. There are known security vulnerabilities on several OpenSSL versions. The vulnerabilities CVE-2022-1292, CVE-2022-2068, and CVE-2022-2274 are defined by NIST U.S. Department of Commerce. The OpenSSL c_rehash script does not properly handle shell metacharacters to prevent command injection. The recommended action is to upgrade to the latest OpenSSL v3.0.5 or v1.1.1q or later. Please note that based on its usage of OpenSSL, VENs are not impacted by CVE-2022-1292, CVE-2022-2068, and CVE-2022-2274.
Supporting OpenSSL 3.0 on Linux Systems
strongSwan, the IPSec subsystem for the Linux OS, must be updated to support OpenSSL 3.0. VENs with OpenSSL 3.0 during a FIPS certification migration breaks the PKCS12_xxx API. The PKCS12KDF security algorithm that is used for the PKCS12 MAC binary storage format is not FIPS compliant (although it supports older FIPS standards with OpenSSL 1.0.2). Illumio uses PKCS12 for easy management of certificates and key pairing and not for security purposes.
Note
Adding another algorithm for PKCS12 MAC would fix this issue, however it would require changing the FIPS standard. This is because the non-compliant PKCS12KDF algorithm is hardcoded into the PKCS12 standard as the key derivation function (KDF) that generates the MAC key from the password.
To support OpenSSL 3.0, Illumio recommends generating the PKCS12 container for Linux systems.
Enter the following commands in the CLI.
For any Linux VEN version before 22.2.10:
Without FIPS:
openssl pkcs12 -export -out certificate.p12 -inkey mykey.pem -in mycert.pem -password pass:
With FIPS:
openssl pkcs12 -export -out certificate.p12 -inkey mykey.pem -in mycert.pem -password pass: -descert -des3
For any 22.2.10 VEN Linux version and after:
With OpenSSL 3.0 supported or VEN with OpenSSL 3.0 with FIPS:
openssl pkcs12 -export -out certificate.p12 -inkey mykey.pem -in mycert.pem -password pass: -provider fips -nomac
With any version of OpenSSL without FIPS:
openssl pkcs12 -export -out certificate.p12 -inkey mykey.pem -in mycert.pem -password pass: