This content has been marked as final. Show 10 replies
I don't believe that there is such a thing as "FIPS enabled mode" in a database.
FIPS certification verifies that various components of the database have implemented encryption properly. It doesn't (and realistically can't) attempt to certify that a particular database and the applications that use it are secure.
FIPS specifies, for example, that certain encryption algorithms are acceptably secure and that various vendors have implemented these secure algorithms correctly.
FIPS does not certify, however, that a particular application running in the database is actually encrypting all the data it ought to. There is no such thing as a database-level setting that would let the database figure out that you're storing a social security number or a credit card number in the database so that it could force you to encrypt that data. There is no such thing as a database-level setting that would prevent you from following poor security practices and allowing every user in the organization to decrypt the data stored in an encrypted column.
FIPS provides guidelines for what sort of security concerns to be aware of when implementing applications (i.e. FIPS-191 Guideline for the Analysis of Local Area Network Security). But these guidelines are just that-- they are considerations that application designers have to be aware of when determining how secure to make their applications. FIPS certification of software components ensures that if the application designers decide to encrypt some data that the software actually does that task securely.
Actually, if you check the documents listed in the "Security Policy" column in the table located on http://www.oracle.com/technetwork/topics/security/oracle-fips140-validations-100923.html, you will get a PDF that provides you guidance as to what needs to be done for that particular product.
See for example, for Oracle Cryptographic Libraries for SSL 10g (10.1.0), page 13 of the Security Policy document located at http://www.oracle.com/technetwork/topics/security/140sp861-128721.pdf
@Justin:The information was useful but the proper term that i was looking was "running Oracle in FIPS approved mode of operation".
That meant that what configuration is needed for the Oracle server or the databases to run in FIPS approved mode.
Thanks for the early reply.
from the pdf u pointed out...in the section "Secure Operation", i can find some settings like setting the variable
‘SQLNET.SSLFIPS_140’ to TRUE in the ‘sqlnet.ora’ file.
In some other documents from oracle I found that the SSLFIPS_140 parameter is needed to be set as true in fips.ora file for Oracle 11g.
I am looking for the similar kind of configurations for Oracle 9i, Oracle 10g and Oracle 11g.
and besides the above mentioned configurations, is there any other configuration that are required such as any database level settings or server level settings.
I am exactly in the same boat as you are. We have to configure the database as per FIPS 140-2 compliance standardS. There is no certification for database itself. I even opened a serverice request for oracle but they informed that only 10.1.0.5 SSL binaries are FIPS 140-2 compliant, not the database. They recommend to use HSM in addition to TDE to meet FIPS compliance. This is a very tricky situation, there is no certification document from NIST but oracle documentation says they "meet the FIPS standard".
I will post my findings but still let me know if you find any thing new. As per my understanding we just need to implement various ASO features to meet FIPS 140-2 compliance. I would really appreciate if Oracle can come forward and define a standard in order to remove this dilemma.
Three different id's posting essentially the same question:
Connection/Network encryption in Oracle Standard Edition 11gR2
Oracle 11G and Advanced Security FIPS 140-2 Compliant encrypt data at rest
Maybe you guys should be talking to each other. Or are you really the same guy?