000015783 - When should I use FIPSMode=false in RKM client configuration?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015783
Applies ToRSA Key Manager Client
IssueWhen should I use FIPSMode=false in RKM client configuration?
When should I use FIPSMode=false in RKM client configuration?
What is FIPS?
Resolution

Rule of thumb is that you need to set FIPSMode=false in RKM Client configuration if ONE of the following item is true:

  • You got your .pfx/.p12 by exporting your client certificate and private key from MS Internet Explorer. MSIE encrypts the pfx using RC2, which is not FIPS compliant
  • Any single one of all certificates involved (client certificate or any certificate in its chain, or server certificate or any certificate in its chain) has the literal "md5" in one of the certificate attribute. Ex:
    • Signature Algorithm = md5RSA, this is not FIPS.
    • Thumbprint Algorithm = md5, this is not FIPS.
NotesIf you are using a PKCS #12 file that is not using FIPS algorithms, then you should set "FIPSMode=false" in the configuration to avoid errors such as 30013 (R_KM_ERROR_CERT_CHECK_FIPS).  If the PKCS #12 file was exported from a Web browser, it is using a non-FIPS algorithm for password-based encryption, such as RC2, instead of a FIPS algorithm such as 3DES.  A PKCS #12 file that uses a FIPS algorithm for password-based encryption can be created by using a program such as openssl.

FIPS is important in some environments, such as in products used by the US government.  If FIPS is not required in your environment, it is ok to use "FIPSMode=false".

cryptoFIPSmode is a setting that applies to the underlying cryptography product (RSA BSAFE Micro Edition Suite / Crypto-C ME).  It is set to true by default, so that is the recommended setting.

For more information about FIPS, see
  doc\Crypto-C_ME_3.0_SecurityPolicy.pdf
  doc\Crypto-C_ME_3.0.0.1_security_policy.pdf
  http://csrc.nist.gov/groups/STM/cmvp/index.html
Legacy Article IDa52728

Attachments

    Outcomes