Previous Topic: SSL Configuration for FIPS COMPAT and FIPS MIGRATE Modes

Next Topic: Enable SSL for Virtual Hosts

Administration GuideSSL and the Secure Proxy ServerSSL Configurations for FIPS ONLY Mode

SSL Configurations for FIPS ONLY Mode

Configure the SPS to support FIPS ONLY mode.

Follow these steps:

  1. Verify that the OPENSSL_FIPS environment variable is set to 1 and the CA_SM_PS_FIPS140 environment variable is set to ONLY.
  2. Generate a server key with a minimum key size of 1024 KB and a FIPS-compliant algorithm.

    Example:

    openssl genrsa -des3 -out server.key 1024
  3. Generate a Certificate Signing Request (CSR).

    Example:

    openssl req -config openssl.cnf -new -key server.key -out server.csr
  4. Sign the certificate by a Certificate Authority (CA).
  5. Install the signed certificate.
  6. Open the httpd-ssl conf file.

    Default Path: sps_home\httpd\conf\extra\httpd-ssl.conf

  7. Verify that the directives of the server key and certs are correct.
  8. Set the value of the SSLPassPhraseDialog variable to custom.
  9. Uncomment the following line in httpd-ssl.conf: 
    SSLCustomPropertiesFile "<sps_home>/Tomcat/properties/spsssl.properties"
  10. Set the value of the SSLCustomPropertiesFile variable to <sps_home>\httpd\conf\spsapachessl.properties.
  11. Set the value of the SSLSpsFipsMode variable to ONLY.
  12. Perform one of the following steps:
    1. If you are configuring FIPS ONLY mode on Windows, perform the following steps:
      1. Execute the following command from the command prompt: 
           sps_home\httpd\bin\configssl.bat -enable passphrase

      Note: The passphrase value must match the passphrase value of the server key.

      The passphrase is encrypted and is stored in the spsapachessl.properties file.

      1. Restart the Secure Proxy Service.
    2. If you are configuring FIPS ONLY mode on UNIX, perform the following steps:
      1. Execute the following command: 
           sps_home/secure-proxy/proxy-engine/configssl.sh passphrase

      Note: The passphrase value must match the passphrase value of the server key.

      The passphrase is encrypted and is stored in the spsapachessl.properties file.

      1. Execute the following command: 
           sps_home/secure-proxy/proxy-engine/sps-ctl startssl

    SSL in FIPS ONLY mode is enabled and configured.

Note: If you want to run SPS without SSL, you can execute the sps_home\httpd\bin\configssl.bat -disable command to disable SSL.