Enabling FIPS for software-only systems

Last Updated : Dec 23, 2024 |

About this task

FIPS is a cryptographic security standard. Use this procedure if your enterprise requires FIPS-compliant cryptographic algorithms only.

For software-only installations, FIPS mode is enabled at the operating system level before installing the system layer. If FIPS is enabled in the operating system, Avaya Aura® Web Gateway are installed in FIPS mode. If not, they are installed in non-FIPS mode. FIPS installation is supported for new installations only. You cannot upgrade a non-FIPS system to a FIPS system. If you want to enable FIPS on a non-FIPS system or disable FIPS on a FIPS system, you must uninstall the Avaya Aura® Web Gateway application first, change FIPS mode, and then re-install Avaya Aura® Web Gateway.

Important:

  • You must enable FIPS before installing the system layer.

  • OAuth authorization is unavailable in FIPS mode.

Note:

  • If FIPS mode is enabled, use the Secure LDAP (LDAPS) protocol to configure LDAP.

  • If FIPS mode is enabled in cluster deployments, SSL encryption for internode communication between the database servers on the Avaya Aura® Web Gateway nodes is enabled by default.

Before you begin

Download and install package tomcat-native-1.2.23-1.el8.x86_64.rpm or later.

Procedure

  1. Log in to the virtual machine as the root user using an SSH connection.
  2. Open the /etc/ssh/sshd_config file in a text editor.

    For example, to open the file in vi, run the vi /etc/ssh/sshd_config command.

  3. Add the following three entries to the file: 
    Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
Kexalgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha1
  4. Save the /etc/ssh/sshd_config file.
  5. Open the /etc/ssh/ssh_config file in a text editor.

    For example, to open the file in vi, run the vi /etc/ssh/ssh_config command.

  6. Add the following two entries to the file: 
    Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256
  7. Save the /etc/ssh/ssh_config file.
  8. Open /usr/share/crypto-policies/back-ends/FIPS/opensshserver.config file in a text editor.
    1. Remove the existing line.
    2. Add the line: CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256'.
  9. Save /usr/share/crypto-policies/back-ends/FIPS/opensshserver.config.
  10. Restart sshd service using systemctl restart sshd.
  11. Complete the steps listed in the Federal standards and regulations section of the Red Hat documentation.
Related information
Enabling FIPS mode