Concepts

FIPS 140-2 Concepts

FairCom servers support the Federal Information Processing Standard (FIPS) 140-2 conformance levels for advanced sensitive applications such as those in government, finance, and health care.

FIPS ensures that TLS and other encryption are implemented properly on a specific product. It is implemented and configured separately for clients and servers. Clients and servers can independently use a FIPS implementation of TLS. A client and server do not know or care if the other is using FIPS, as long as they share a FIPS-compliant TLS cipher.

Use FIPS in FairCom JSON Action APIs

The JSON Action API uses HTTPS to post JSON documents to a FairCom server.

Software applications that use the FairCom JSON Action API can implement FIPS directly in their applications by connecting to a FairCom server using a FIPS-compliant HTTP or WebSocket library.

Use FIPS in FairCom JDBC drivers

Software applications using JDBC can implement FIPS as provided by the Java standard. This generally requires configuring a FIPS validated JCE, such as Bouncy Castle (cryptography).

Use FIPS in FairCom ISAM, CTDB, and SQL client drivers

FairCom support and professional services can help you with FIPS compliance.

The FairCom SQL client drivers include ODBC.

Enable FIPS on the FairCom server

Various forms of encryption must be enabled by modifying the ctsrvr.cfg server configuration file.

TLS support is controlled by a set of entries within SUBSYSTEM COMM_PROTOCOL SSL.

Support for file level encryption is initialized by keywords such as:

ADVANCED_ENCRYPTION

LOG_ENCRYPT

ADMIN_ENCRYPT

MASTER_KEY_FILE

And the FIPS version of these methods is enabled by

FIPS_ENCRYPTION

See Configure server to use certificate for details.

File-level encryption must still be enabled on a file-by-file basis, either by conversion for existing files or at file creation. Consult the relevant programmers guide for details or contact FairCom support for assistance.

Verify that FIPS is enabled on a FairCom server

When a FairCom server starts with FIPS enabled, the CTSTATUS.FCS log file contains the following message: OpenSSL FIPS Cryptographic provider in use

Force all server communications to occur over TCP/IP

FIPS communicates using TCP/IP.

To force all ISAM, CTDB, and SQL communications to use TLS, disable shared memory communications by commenting out or removing the COMM_PROTOCOL FSHAREMM line in the ctsrvr.cfg server configuration file:

;COMM_PROTOCOL FSHAREMM

Enable and verify FIPS mode in FairCom ISAM and CTDB client drivers

The FairCom FIPS library can be used to verify that TCP/IP communications use FIPS-compliant TLS connections. On Microsoft Windows, the FIPS library is fips.dll. On Linux it is libfips.so. Copy the appropriate file from the<faircom>/server directory into your client application area and include it in your application's distribution.

Start the FairCom client driver in FIPS mode by setting the FAIRCOM_FIPS_CLIENT_MODE environment variable to YES.

When the FairCom client driver starts in FIPS mode, it loads the OpenSSL FIPS module (fips.dll or libfips.so) from its working directory. If the FIPS library fails to load, the FairCom driver returns error 1182 to the client software.

FIPS initialization creates the mandatory configuration file ./faircomssl.cnf, if it does not already exist. If a new version of the FIPS library is deployed then the old faircomssl.cnf must be deleted. This client environment configuration applies to all connections using FairCom DB SQL drivers and FairCom DB client libraries. Some FairCom DB client libraries, such as the Java-based CTDB and JTDB drivers, the Microsoft .NET CTDB driver, and the Python CTDB driver, use the FairCom mtclient.dll (.so .dylib) library interface to connect with the database. Client software using these drivers must enable FIPS by setting the environment variable FAIRCOM_FIPS_CLIENT_MODE=YES.

Note

The FairCom DB ADO.NET client library does not support FIPS because it is developed entirely in its native language and does not use mtclient. However, .NET does support FIPS if configured at the OS level.

Log FIPS diagnostic messages

Client software using FairCom ISAM, CTDB, and SQL protocols can turn on the logging of FIPS diagnostic messages to verify FIPS status by adding the following environment variable to a log file:

FAIRCOM_FIPS_CLIENT_LOG = my_fips.log

Handle FIPS-related errors

The following errors may occur when a client is connecting to a server.

Error number	Error description
1182	The client requires FIPS mode, but the FairCom driver cannot load FIPS. The `FAIRCOM_FIPS_CLIENT_MODE` environment variable is set to `YES`, but the driver cannot find `fips.dll` or `libfips.so in` its working directory.
1104	The server requires TLS logins, but the client is not using TLS. The SSL_CONNECTIONS_ONLY configuration option is configured as `YES`, but the client did not specify a TLS communication string. A client must add `^fssltcp` to its connection string for ISAM connections and `ssl:` to SQL connection strings.

Error number

Error description

1182

The client requires FIPS mode, but the FairCom driver cannot load FIPS.

The FAIRCOM_FIPS_CLIENT_MODE environment variable is set to YES, but the driver cannot find fips.dll or libfips.so in its working directory.

1104

The server requires TLS logins, but the client is not using TLS. The SSL_CONNECTIONS_ONLY configuration option is configured as YES, but the client did not specify a TLS communication string. A client must add ^fssltcp to its connection string for ISAM connections and ssl: to SQL connection strings.