Enabling FIPS Mode on the Database Server

To enable the FIPS mode, you should set the operating system in FIPS mode.

  1. Run the commands given below:
    2. yum install dracut-fips dracut-fips-aesni
rpm -q prelink && sed -i '/^PRELINKING/s,yes,no,' /etc/sysconfig/prelink     
# prelink may not be installed, ignore error
mv -v /boot/initramfs-$(uname -r).img{,.bak}
dracut
grubby --update-kernel=$(grubby --default-kernel) --args=fips=1
uuid=$(findmnt -no uuid /boot)					
 [[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid}
reboot

    Ignore the error if prelink was not installed.

  2. To verify whether the FIPS mode is enabled, run the following command:
    3. sysctl crypto.fips_enabled

    Expected Result:

    crypto.fips_enabled = 1 - FIPS is enabled
  3. (For Azure Only) Before the rebooting, be sure to uncomment the ciphers under /etc/ssh/sshd_config using the following commands:

    4. From

    # Ciphers and keying
# Avoid using deprecated cryptographic settings
# blowfish-cbc cipher has been removed
# cast128-cbc cipher has been removed
# 3des-cbc cipher has been removed
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
# diffie-hellman-group1-sha1 key exchange has been removed
Kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
#RekeyLimit default none

    To

    # Ciphers and keying
# Avoid using deprecated cryptographic settings
# blowfish-cbc cipher has been removed
# cast128-cbc cipher has been removed
# 3des-cbc cipher has been removed
# Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
# diffie-hellman-group1-sha1 key exchange has been removed
# Kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
#RekeyLimit default none
  4. (For Azure Only) If you have enabled FIPS and the openssh service will not start after rebooting, be sure to:
    1. Establish a serial connection to the VM.
    2. Log in with your corresponding username and password.
    3. Navigate to /etc/ssh/sshd_config.
    4. Comment on the same lines above.
    5. Start the service with systemctl start sshd.service.

 

Disabling FIPS Mode

  1. Run the commands given below:
    2. yum remove dracut-fips
dracut --force
grubby --update-kernel=$(grubby --default-kernel) --remove-args=fips=1
reboot
  2. To verify whether the FIPS mode is disabled, run the following command:
    3. sysctl crypto.fips_enabled

    Expected Result:

    crypto.fips_enabled = 0