DBSecWorx: FIPS-140 Configuration

FIPS-140 Versions: 18c - 19c

Overview

-- from the Oracle on-line docs with small edits to enhance clarity.

The Federal Information Processing Standard (FIPS) standard, 140-2, is a U.S. government standard that defines cryptographic module security requirements.

The FIPS 140-2 cryptographic libraries are designed to protect data at rest and data in transit over the TCP/IP network.

Oracle Database uses these cryptographic libraries for Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and the DBMS_CRYPTO PL/SQL package.

To verify the current status of the certification, you can find information at the Computer Security Resource Center (CSRC) Web site address from the National Institute of Standards and Technology: http://csrc.nist.gov/groups/STM/cmvp/validation.html

Information specific to FIPS can be found by by searching for Validated FIPS 140 Cryptographic Modules.

The security policy, which is available on Oracle's website, upon successful certification, includes requirements for secure configuration of the host operating system.

FIPS flagging was introduced with Oracle 18c.

Database FIPS Compliance

The in-database portion of preparing the Oracle Database for FIPS 140-2 compliance requires setting a single startup initialization parameter to TRUE, bouncing the database, and verifying that the parameter has been change correctly.

SQL*Plus: Release 19.0.0.0.0 - Production on Wed Aug 28 13:41:28 2019

      Version 19.3.0.0.0

      

      Copyright (c) 1982, 2019, Oracle. All rights reserved.

      

      Enter user-name: / as sysdba

      

      Connected to:

      Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production

      Version 19.3.0.0.0

      

      ALTER SYSTEM SET dbfips_140 = TRUE

      COMMENT='Enabled 4 Nov 2019'

      CONTAINER=ALL

      SID='*'

      SCOPE=SPFILE;

      

      -- restart the database

      

      SHUTDOWN IMMEDIATE;

      STARTUP NOMOUNT;

      ALTER DATABASE MOUNT;

      ALTER DATABASE OPEN;

      

      After exiting SQL*Plus open a terminal window on the database server and navigate to the location of the database's SQLNET.ORA file.
      If it contains the string SQLNET.SSLFIPS_140 remove it. That string was valid in Database 10g but is not valid in 12c and above.

      

      SQL*Plus: Release 19.0.0.0.0 - Production on Wed Aug 28 13:41:28 2019

      Version 19.3.0.0.0

      

      Copyright (c) 1982, 2019, Oracle. All rights reserved.

      

      Enter user-name: / as sysdba

      

      Connected to:

      Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production

      Version 19.3.0.0.0

      

      SELECT name, value

      FROM v$parameter

      WHERE name = 'DBFIPS_140';

      

      NAME                           VALUE

      ------------------------------ ------------------------------

      DBFIPS_140                     TRUE

Linux FIPS Compliance

The operating system portion of preparing the Oracle Database for FIPS 140-2 compliance requires creating the directory $ORACLE_HOME/ldap/admin if it does not already exist and creating a fips.ora file.

requires setting a single startup initialization parameter to TRUE, bouncing the database, and verifying that the parameter has been change correctly.

-- creating the fips.ora file

      -- log into the Linux shell as the user oracle

      

      cd $ORACLE_HOME/ldap

      

      ls -al

      

      -- if the admin directory exists

      cd admin

      

      -- if the admin directory does not exist

      mkdir admin

      

      

      

      touch fips.ora

      

      -- edit the fips.ora file and add the following:

      

      SSLFIPS_140=TRUE

      

      -- save the file

      

      chmo 444 fips.ora

      

      -- exit the shell

FIPS Flagging

The Federal Information Processing Standard for SQL (FIPS 127-2) requires a way to identify SQL statements that use vendor-supplied extensions

The following code demonstrates use of ALTER SESSION SET FLAGGER.

ALTER SESSION SET FLAGGER=<ENTRY | FULL | INTERMEDIATE | OFF>;

conn uwclass/uwclass@pdbdev

      

      CREATE OR REPLACE FUNCTION test(x IN VARCHAR2) RETURN VARCHAR2

      AUTHID DEFINER IS

      BEGIN

      RETURN x;

      END;

      /

      Function created.

      

      ALTER SESSION SET flagger=FULL;

      

      CREATE OR REPLACE FUNCTION test(x IN VARCHAR2) RETURN VARCHAR2 AUTHID DEFINER IS

      BEGIN

       
      RETURN x;

      END;

      /

      CREATE OR REPLACE FUNCTION test(x VARCHAR2) RETURN VARCHAR2

      *

      ERROR at line 1:

      ORA-00097: use of Oracle SQL feature not in SQL92 Full Level

      

      ALTER SESSION SET flagger=OFF;

      

      CREATE OR REPLACE FUNCTION test(x VARCHAR2) RETURN VARCHAR2 AUTHID DEFINER IS

      BEGIN

       
      RETURN x;

      END;

      /

      Function created.

Conclusion

Are you going to change all of your internet passwords to "password1" because you are not required by law to practice safe computing?

Just because you are not forced to be FIPS compliant is not a good reason not to be.

It will take only a few minutes to do it the right way. We recommend that you do.