Installation Guides › Implementation Guide › Architectural Considerations › Implementation Considerations › Determine if Advanced Encryption Standards are Required

Determine if Advanced Encryption Standards are Required

Does your organization require the use of Federal Information Processing Standard (FIPS) 140–2 compliant algorithms?

The SOA Security Manager implementation of the Advanced Encryption Standard (AES) supports the FIPS 140–2 standard. FIPS is a US government computer security standard used to accredit cryptographic modules that meet the AES.

The Policy Server uses certified FIPS 140–2 compliant cryptographic libraries. These cryptographic libraries provide a FIPS mode of operation when a SOA Security Manager environment only uses AES–compliant algorithms to encrypt sensitive data. A SOA Security Manager environment can operate in one of the following FIPS modes of operation.

• FIPS–compatibility
• FIPS–only

Note: For more information about the cryptographic libraries SOA Security Manager uses and the AES algorithms used to encrypt sensitive data in FIPS–only mode, see the Policy Server Administration Guide. For more information about the FIPS modes of operation and which to use when installing the Policy Server, see the Policy Server Installation Guide.

If you are implementing AES encryption through FIPS-only mode, consider the following:

• All third–party components, including directory servers, databases, and drivers must be configured to support FIPS–compliant algorithms.

  Note: For more information about your vendors ability to support the FIPS 140–2 standard, see the vendor-specific documentation.

• If the environment uses X.509 Client Certificate authentication schemes, be sure that the user certificates are generated using only FIPS–compliant algorithms.
• If the Policy Servers are to connect to policy stores or user stores using SSL, be sure that the Policy Servers and directory stores use certificates that are FIPS–compliant.
• All SOA Agents that ship with SOA Security Manager r12.1 SP3 are FIPS–compliant. To determine if other agents are FIPS–compliant, see the agent–specific documentation.

Important! An environment that is running in FIPS–only mode cannot operate with and is not backward compatible to earlier versions of SOA Security Manager. This requirement includes all agents, custom software using older versions of the SOA Security Manager SDK. Re–link all such software with the r12.1 SP3 versions of the SDK to achieve the required support for FIPS–only mode.