Administration Guide › SSL and the Secure Proxy Server › SSL Configuration for FIPS ONLY Mode

SSL Configuration for FIPS ONLY Mode

For an installation of the SPS in FIPS ONLY mode, the required configuration for SSL support is listed following.

To configure SSL in FIPS ONLY mode

1. Verify that OPENSSL_FIPS environment variable is set to 1 and that the CA_SM_PS_FIPS140 environment variable is set to ONLY.
2. Generate a server key. Specify the size of key as at least 1024 KB. Be sure that the algorithm (des3 in the example following) is FIPS-compliant. For example:

   openssl genrsa -des3 -out server.key 1024
   

3. Generate a Certificate Signing Request (CSR) as shown in this example:

   openssl req -config openssl.cnf -new -key server.key -out server.csr
   

4. Have the certificate signed by a Certificate Authority (CA).
5. Install the signed certificate.
6. Verify that the value of the SSLPassPhraseDialog variable in the httpd-ssl.conf file (located in sps_home\httpd\conf\extra folder) is set to custom.
7. Verify that the value of the SSLCustomPropertiesFile variable is set to <sps_home>/Tomcat/properties/spsssl.properties.
8. Enable SSL on the SPS as follows:

   On UNIX

   1. Enter the following command:

      sps_home/secure-proxy/proxy-engine/configssl.sh passphrase 
      

      Note: The passphrase is the same one provided to the key in Step 2.

      This command encrypts the passphrase and stores it in spsssl.properties file.

   2. Enter the following command:

      sps_home/secure-proxy/proxy-engine/sps-ctl startssl
      

      SSL is enabled.

On Windows

1. Enter the following command:

   sps_home\httpd\bin\configssl.bat -enable passphrase  
   

   Note: The passphrase is the one provided to the key in Step2.

   This command encrypts the passphrase and stores it in the spsssl.properties file.

2. Restart the Secure Proxy Service.

   SSL is enabled.

Note: If at a later time you want to run without SSL, enter the following command:

sps_home\httpd\bin\configssl.bat -disable.