Enabling FIPS Compliance

Overview

The Federal Information Processing Standard 140-1 (FIPS 140-1) and its successor FIPS 140-2 are United States Government standards that provide a benchmark for implementing cryptographic software. Secret Server was tested and operates correctly in FIPS-compliant environments.

The Microsoft .NET implementations of AES and SHA are not FIPS certified so Secret Server uses the Windows API versions for encryption functionality which are FIPS certified.

See FIPS 140-2 Validation for the FIPS certificate numbers for the Windows operating systems, including the algorithm implementations that we use. Supported operating systems include Windows Server 2008 R2 and above.

Site-Specific FIPS Configuration

Individual sites are configurable for FIPS compatibility. The setting is available on the Administration > Distributed Engine > Site Configuration page, in the Engine Default Settings dialog box. All engines on a site will use this setting, overriding the global setting, which is configured at Administration > Configuration > Security.

Procedure

To enable FIPS compliance:

Task 1: Enable FIPS in Secret Server

  1. Ensure Secret Server is already installed.

    Secret Server is unavailable and may give errors (such as "Parser Error Message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms") until all the steps are completed.
    During Secret Server installation, if FIPS compliance for Windows has already been enabled 'InvalidOperationException' error messages may result. To resolve the issue, please contact support for assistance.
    If FIPS is enabled as part of a domain group policy, it must be disabled before the option can be enabled in Secret Server, otherwise an error may occur. It can be re-enabled using group policy once the feature has been enabled in the application.

  2. In Secret Server, go to Admin > Configuration.

  3. Click the Security tab.

  4. Click the Edit button at the bottom of the page.

  5. Click to enable the Enable FIPS Compliance check box in the FIPS Compliance section.

  6. Click the Save button.

Task 2: Enable FIPS in Windows

  1. At the Windows command prompt, run secpol.msc. The Local Security Policy application appears.

  2. In the left pane, drill down to Security Settings > Local Policies > Security Options.

  3. In the right pane double-click the System Cryptography: Use FIPS Compliant algorithms for encryption, hashing, and signing policy. Its properties appear.

  4. Click to enable the Enabled selection button on the Local Security Setting tab.

  5. Click the OK button.

  6. Close the Local Security Policy application.

Task 3: Reset the IIS Server

Run iisreset from the Windows command prompt. IIS resets.

When using FIPS compliance mode in Secret Server, we use the NIST-certified encryption algorithms within the Windows Operating System.
There should be no need to enable FIPS on the database server operating system because the encryption applies between the application and the database, not between the operating systems. Data is encrypted before it reaches the database.

Related Information