Deploying FIPS Mode
Preparation
FIPS Mode can only be configured when other certain configuration preconditions have been met. These preconditions are required to provide a suitable environment for using a FIPS 140-2 cryptographic module for processing traffic.
Therefore in preparation for enabling FIPS Mode, the following configuration elements should be inspected and updated accordingly.
Supported SSL/TLS Versions
As per the guidance in SP 800-52r1, only SSL versions TLS 1.0 and later are suitable for operating in an environment using a FIPS 140-2 cryptographic module.
Therefore, to enable FIPS Mode, ensure your Traffic Manager configuration has SSLv3 disabled by setting ssl!support_ssl3 to "No" on the System > Global Settings > SSL Configuration page. Additionally, ensure that your virtual servers and pool do not override the global SSL setting on an individual basis (using the ssl_support_ssl3 settings on the Virtual Server > Edit > SSL Decryption and Pool > Edit > SSL Encryption pages).
ATTENTION
If your SSL virtual server clients and pool nodes do not support TLS 1.0 or later, they will no longer be able to connect using SSL.
SSL3 Cipher Suite selection
The FIPS 140-2 requirements provide a list of approved cryptographic methods that a FIPS 140-2 cryptographic module may include. Methods that are not approved are not permitted in the cryptographic module.
Some SSL/TLS cipher suites include cryptographic methods that are not approved by FIPS 140-2, common examples include the RC4 stream cipher and the MD5 digest algorithm. So that all TLS cryptography can be performed using the FIPS 140-2 cryptographic module when in FIPS Mode, the list of cipher suites that can be configured for use with the Traffic Manager is reduced to the following set:
•SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
•SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
•SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
•SSL_RSA_WITH_AES_128_GCM_SHA256
•SSL_RSA_WITH_AES_128_CBC_SHA256
•SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
•SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
•SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
•SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
•SSL_RSA_WITH_AES_128_CBC_SHA
•SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
•SSL_DHE_RSA_WITH_AES_128_CBC_SHA
•SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
•SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
•SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
•SSL_RSA_WITH_AES_256_GCM_SHA384
•SSL_RSA_WITH_AES_256_CBC_SHA256
•SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
•SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
•SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
•SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
•SSL_RSA_WITH_AES_256_CBC_SHA
•SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
•SSL_DHE_RSA_WITH_AES_256_CBC_SHA
Additionally, for TLSv1.3:
•TLS_AES_128_GCM_SHA256
•TLS_AES_256_GCM_SHA384
ATTENTION
This will have an impact on interoperability with SSL virtual server clients and pool nodes, if they do not support any of the FIPS 140-2 compatible cipher suites then they will no longer be able to connect via SSL.
TrafficScript Functions
TrafficScript provides access to a number of cryptographic operations for rules executed in the Traffic Manager. When operating in FIPS Mode, these operations will be provided by the FIPS 140-2 cryptographic module.
For TrafficScript functions that use cryptographic methods not approved for FIPS 140-2 cryptographic modules, those functions will not execute successfully when operating in FIPS Mode. It is recommended that you migrate any uses of the TrafficScript functions listed below to an alternative cryptographic digest implementation that is approved for FIPS 140-2 cryptographic modules.
The TrafficScript functions that will produce an error when used in FIPS Mode are those that use the MD5 algorithm:
|
Function invalid in FIPS Mode |
Suggested replacement |
|
string.hashMD5() |
string.hashSHA1() |
|
ssl.serverCertHash() |
ssl.serverCertSHA1() |
|
ssl.clientCertHash() |
ssl.clientCertSHA1() |
PKI Certificates
Public Key Infrastructure certificates and keys are cryptographic assets that need to be considered as part of a FIPS 140-2 deployment.
With FIPS Mode enabled, the Traffic Manager supports the use of RSA or ECDSA public/private keys only. DSA keys are not supported.
Key Strength
Although not directly considered in the FIPS 140-2 document, SP 800-131A covers a set of requirements for acceptable strength of keys used in cryptographic operations. These requirements are generally enforced by a FIPS 140-2 cryptographic module, and so must be considered prior to enabling FIPS Mode. For a more formal discussion about what "key strength" actually is (in this context), see the SP 800-51 Part 1 publication referred to in the FIPS 140-2 section above.
Signature Algorithm
Beyond the strength of a key represented by a certificate, a certificate itself contains a cryptographic signature to enable validation that the certificate is the same as that validated by the issuer.
The algorithms used to create and validate the cryptographic signature must be approved for use in a FIPS 140-2 cryptographic module when in FIPS Mode. In FIPS Mode only those certificates whose signature digest uses the FIPS-approved SHA-1, SHA256, SHA384 and SHA512 algorithms can be used.
Traffic Manager SSL Configuration
Prior to enabling FIPS Mode, the Traffic Manager SSL catalog (found at Catalogs > SSL) should be audited for:
•Certificates and keys that have a modulus value that is less than 1024 bits, and;
•Certificates that have a signature using a non-approved digest algorithm, typically MD2 and MD5.
If you attempt to enable FIPS Mode in this way, validation errors will highlight any certificates in the current configuration that will prevent the operation from succeeding.
Alternatively, you can use the command-line "cert" tool included in your Traffic Manager installation to evaluate individual certificates. For example, to inspect the SSL Server Certificate 'example' certificate file, use the following command:
$ZEUSHOME/admin/bin/cert --format text \
--in $ZEUSHOME/zxtm/conf/ssl/server_keys/example.public
Once these "weak assets" have been identified, you should evaluate their purpose in your Traffic Manager deployment to determine whether they are actually required, and if they are what other systems/services need to be changed/updated/deprecated to successfully move your Traffic Manager deployment towards having FIPS Mode enabled. These "weak assets" must be removed before FIPS Mode can be enabled.
ATTENTION
Removing certificates and private keys may have an impact on connectivity with your Traffic Manager deployment. For example, SSL clients may be required to present a certificate signed by a "weak" CA, or the Traffic Manager itself may be required to provide a specific certificate when connecting by SSL to nodes in a pool. In these example cases, removing the "weak assets" will prevent clients, and the Traffic Manager, from creating SSL connections.
Deployment Considerations
In addition to the above, you should consider your deployment where the Traffic Manager is in operation.
When operating in FIPS Mode, the Traffic Manager will reject requests to process cryptographic "weak assets" regardless of whether they are from the local configuration or received from remote systems.
ATTENTION
If you are expecting virtual server clients to present certificates when connecting to the Traffic Manager by SSL, or the Traffic Manager is connecting to pool nodes by SSL, you should ensure the certificates presented by virtual server clients and pool nodes are suitable for operations in FIPS Mode.
Certificate Chains
When operating with chains of certificates, all the certificates in the chain must not be "weak" in order for that certificate chain to be successfully used by the Traffic Manager in FIPS Mode.
Key Exchange Strength
Some cipher suites make use of the Diffie-Hellman Key Exchange algorithm. SP 800-131A covers a set of requirements for acceptable strength of keys, which is also applicable for the Diffie-Hellman algorithm.
The size of the modulus in the domain parameters for finite field Diffie-Hellman key agreement used by the Traffic Manager can be configured with the ssl!diffie_hellman_modulus_size configuration key (from the “SSL Configuration” section of the System > Global Settings page).
Ensuring / Retaining Validity
The validity of a FIPS 140-2 cryptographic module is defined by the testing performed by an accredited testing laboratory. Testing for a software cryptographic module is performed on a specific hardware/operating system platform (operational environment). When a FIPS 140-2 cryptographic module is used in an operational environment where it has been validated, that module can be considered FIPS 140-2 validated.
The details about the operational environments in which the RCSM has been validated can be found in its listing on the NIST Web site.
While testing has been performed on a limited number of operational environments (and thus the RCSM used in those environments have explicit FIPS 140-2 validity), it is understood that a validated FIPS 140-2 cryptographic module (Level 1) may retain its validity when operating in an environment where it has not been explicitly validated (for FIPS 140-2).
The Implementation Guidance for FIPS 140-2 (http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf) covers this case under section G.5. This covers the "porting" rules that a vendor (Riverbed in the case of the RCSM) or a user, for example, an administrator for a Traffic Manager installation, should conform to in order to retain FIPS 140-2 validity on a platform that has not been explicitly listed as validated. Note that NIST (specifically CVMP) remains the overall arbitrator of whether a FIPS 140-2 cryptographic module is and is not considered valid.
ATTENTION
If you are concerned about whether or not the Traffic Manager will retain the FIPS 140-2 validity of the RCSM in your installation, please contact your support provider.
Non-Linux Operating Systems
The RCSM has only been tested for validation on versions of the Linux Operating System. Support and validation for non-Linux systems is not available.
Enabling FIPS Mode
Providing you have followed the preceding instructions for preparing your Traffic Manager deployment, you can enable FIPS Mode by accessing the System > Global Settings page of the Admin UI and setting the fips!enabled configuration key to “Yes”.
fips!enabled is a cluster-wide setting that cannot vary by location.
Restart Traffic Managers
Setting the fips!enabled key in your configuration is not sufficient to have the Traffic Manager operate fully in FIPS Mode; a restart of each Traffic Manager instance in the cluster is required.
ATTENTION
Restarting the Traffic Manager disconnects any active connections. For high availability deployments, Ivanti recommends that you schedule this operation to minimize the interruption to your services. For further information, see the Pulse Secure Virtual Traffic Manager: Installation and Getting Started Guide applicable to your product variant.
Validation
When using the Admin UI or SOAP-based Control API after enabling FIPS Mode, the Traffic Manager will perform a validation of your configuration to ensure various criteria for FIPS Mode.
Any aspect of the configuration that is in conflict with FIPS Mode will generate an error. If you see such an error, please refer to the Preparation section above with respect to the error you observe.
Operating in FIPS Mode
When operating in FIPS Mode, each Traffic Manager in a cluster will report whether it is successfully operating in FIPS Mode in the event log. A message such as the following can be seen:
FIPS 140-2 Cryptographic module loaded: FIPS Mode in operation
FIPS Mode Errors
If there is an error when trying to enable FIPS Mode, the Traffic Manager will report this in the event log. In the Traffic Manager component where FIPS Mode failed, cryptographic operations (and services that utilize those operations) will be disabled within that component.
As an example, consider a Traffic Manager with two HTTP virtual servers, one with SSL decryption and one without. If FIPS Mode fails to successfully initialize, the SSL decrypting virtual server will be disabled and no traffic will be processed, the other virtual server will operate normally.
ATTENTION
Even if a Traffic Manager is successfully started with FIPS Mode in operation, it is possible, although rare, that during operation the requirements for FIPS 140-2 will cease to be met. In these cases, the same behavior as encountered during an initialization failure can be expected: the failing Traffic Manager will report an error, and cryptographic operations will no longer be available where FIPS Mode has failed.