10 Replies Latest reply: Dec 27, 2012 9:56 PM by EdStevens RSS


      I want to run Oracle databases in FIPS compliance mode.
      Any idea of enabling FIPS for Oracle databases?

      What are the settings required On oracle servers and databases for making them FIPS compliant?
        • 1. Re: Oracle-FIPS
          Eric P. Maurice-Oracle
          You may want to start by checking the site located at http://www.oracle.com/technetwork/topics/security/oracle-fips140-validations-100923.html
          • 2. Re: Oracle-FIPS
            thanks Eric,
            I had a look at that, but i want the specific settings for running oracle 9,10 and 11 in FIPS enabled mode.
            Any clues for that??
            • 3. Re: Oracle-FIPS
              I don't believe that there is such a thing as "FIPS enabled mode" in a database.

              FIPS certification verifies that various components of the database have implemented encryption properly. It doesn't (and realistically can't) attempt to certify that a particular database and the applications that use it are secure.

              FIPS specifies, for example, that certain encryption algorithms are acceptably secure and that various vendors have implemented these secure algorithms correctly.

              FIPS does not certify, however, that a particular application running in the database is actually encrypting all the data it ought to. There is no such thing as a database-level setting that would let the database figure out that you're storing a social security number or a credit card number in the database so that it could force you to encrypt that data. There is no such thing as a database-level setting that would prevent you from following poor security practices and allowing every user in the organization to decrypt the data stored in an encrypted column.

              FIPS provides guidelines for what sort of security concerns to be aware of when implementing applications (i.e. FIPS-191 Guideline for the Analysis of Local Area Network Security). But these guidelines are just that-- they are considerations that application designers have to be aware of when determining how secure to make their applications. FIPS certification of software components ensures that if the application designers decide to encrypt some data that the software actually does that task securely.

              • 4. Re: Oracle-FIPS
                Eric P. Maurice-Oracle
                Actually, if you check the documents listed in the "Security Policy" column in the table located on http://www.oracle.com/technetwork/topics/security/oracle-fips140-validations-100923.html, you will get a PDF that provides you guidance as to what needs to be done for that particular product.

                See for example, for Oracle Cryptographic Libraries for SSL 10g (10.1.0), page 13 of the Security Policy document located at http://www.oracle.com/technetwork/topics/security/140sp861-128721.pdf
                • 5. Re: Oracle-FIPS
                  @Justin:The information was useful but the proper term that i was looking was "running Oracle in FIPS approved mode of operation".
                  That meant that what configuration is needed for the Oracle server or the databases to run in FIPS approved mode.

                  Thanks for the early reply.
                  from the pdf u pointed out...in the section "Secure Operation", i can find some settings like setting the variable
                  ‘SQLNET.SSLFIPS_140’ to TRUE in the ‘sqlnet.ora’ file.

                  In some other documents from oracle I found that the SSLFIPS_140 parameter is needed to be set as true in fips.ora file for Oracle 11g.

                  I am looking for the similar kind of configurations for Oracle 9i, Oracle 10g and Oracle 11g.
                  and besides the above mentioned configurations, is there any other configuration that are required such as any database level settings or server level settings.
                  • 6. Re: Oracle-FIPS

                    I am exactly in the same boat as you are. We have to configure the database as per FIPS 140-2 compliance standardS. There is no certification for database itself. I even opened a serverice request for oracle but they informed that only SSL binaries are FIPS 140-2 compliant, not the database. They recommend to use HSM in addition to TDE to meet FIPS compliance. This is a very tricky situation, there is no certification document from NIST but oracle documentation says they "meet the FIPS standard".

                    I will post my findings but still let me know if you find any thing new. As per my understanding we just need to implement various ASO features to meet FIPS 140-2 compliance. I would really appreciate if Oracle can come forward and define a standard in order to remove this dilemma.

                    • 7. Re: Oracle-FIPS
                      Eric P. Maurice-Oracle
                      I highly recommend you contact seceval_us@oracle.com for your questions. They will be better equipped to answer than I am.


                      • 8. Re: Oracle-FIPS
                        Thanks Eric . I will do so. With the reading I did so far it looks to me that we should implement SSL with the parameters mentioned for 140-2 compliance and use TDE with AES-256 key encryption from database side.
                        • 9. Re: Oracle-FIPS
                          Did you find a resolution to get Oracle 11G to FIPS 140-2 compliance?
                          • 10. Re: Oracle-FIPS
                            Three different id's posting essentially the same question:

                            Connection/Network encryption in Oracle Standard Edition 11gR2
                            Oracle 11G and Advanced Security FIPS 140-2 Compliant encrypt data at rest

                            Maybe you guys should be talking to each other. Or are you really the same guy?