Enabling FIPS Compliance

Overview

The Federal Information Processing Standard 140-1 (FIPS 140-1) and its successor FIPS 140-2 are United States Government standards that provide a benchmark for implementing cryptographic software. Secret Server was tested and operates correctly in FIPS-compliant environments.

The Microsoft .NET implementations of AES and SHA are not FIPS certified so Secret Server uses the Windows API versions for encryption functionality which are FIPS certified.

See FIPS 140-2 Validation for the FIPS certificate numbers for the Windows operating systems, including the algorithm implementations that we use. Supported operating systems include Windows Server 2008 R2 and above.

Site-Specific FIPS Configuration

Individual sites are configurable for FIPS compatibility. The setting is available on the Administration > Distributed Engine > Site Configuration page, in the Engine Default Settings dialog box. All engines on a site will use this setting, overriding the global setting, which is configured at Administration > Configuration > Security.

Procedure

To enable FIPS compliance:

Task 1: Enable FIPS in Secret Server

  1. Ensure Secret Server is already installed.

    Secret Server is unavailable and may give errors (such as "Parser Error Message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms") until all the steps are completed.
    During Secret Server installation, if FIPS compliance for Windows has already been enabled 'InvalidOperationException' error messages may result. To resolve the issue, please contact support for assistance.
    If FIPS is enabled as part of a domain group policy, it must be disabled before the option can be enabled in Secret Server, otherwise an error may occur. It can be re-enabled using group policy once the feature has been enabled in the application.
  2. In Secret Server, go to Admin > Configuration.

  3. Click the Security tab.

  4. Click the Edit button at the bottom of the page.

  5. Click to enable the Enable FIPS Compliance check box in the FIPS Compliance section.

  6. Click the Save button.

Task 2: Enable FIPS in Windows

  1. At the Windows command prompt, run secpol.msc. The Local Security Policy application appears.

  2. In the left pane, drill down to Security Settings > Local Policies > Security Options.

  3. In the right pane double-click the System Cryptography: Use FIPS Compliant algorithms for encryption, hashing, and signing policy. Its properties appear.

  4. Click to enable the Enabled selection button on the Local Security Setting tab.

  5. Click the OK button.

  6. Close the Local Security Policy application.

Task 3: Reset the IIS Server

Run iisreset from the Windows command prompt. IIS resets.

When using FIPS compliance mode in Secret Server, we use the NIST-certified encryption algorithms within the Windows Operating System.
There should be no need to enable FIPS on the database server operating system because the encryption applies between the application and the database, not between the operating systems. Data is encrypted before it reaches the database.

Troubleshooting

If you have an endpoint that requires FIPS compliance, and Secret Server is not configured for FIPS, you cannot establish a connection with that endpoint.

FIPS enforcement is dictated by the target machine. If the target requires FIPS compliance but the initiating system is unaware of this requirement, the initiating system might attempt to secure the connection using non-FIPS algorithms. Such attempts are rejected by the target endpoint.

Conversely, if Secret Server is configured for FIPS compliance, it will successfully connect to target systems that do not require FIPS. The only exception to this is if the target endpoint specifically rejects a FIPS-approved algorithm that the Secret Server engine is trying to use.

Enabling FIPS compliance in Secret Server restricts the cryptographic algorithms to FIPS-approved options during the initial handshake when connecting to the target. If the target does not support these FIPS-approved algorithms, the handshake fails, preventing a successful connection.

Thus, when troubleshooting FIPS-related connectivity, you might want to identify the algorithms supported by the target and ensure that the SSH algorithms configured in Secret Server match at least one of the target's supported algorithms.

Related Information