FIPS 140-2 Compliance

Federal Information Processing Standards (FIPS) are standards that are developed by two government bodies. One is the National Institute of Standards and Technology in the United States. The other is the Communications Security Establishment in Canada. FIPS are standards that are either recommended or mandated for use in federal (either United States or Canadian) government-operated IT systems.

FIPS 140-2 is a statement of the Security Requirements for Cryptographic Modules. It specifies which encryption algorithms and which hashing algorithms can be used and how encryption keys are to be generated and managed. Some hardware, software, and processes can be FIPS 140-2 validated by an approved validation lab. Some of them can also be described as FIPS 140-2-compliant as the term is defined in this article.  

Prior to 4.X, the CGI Advantage applications were FIPS 140-2 compliant only on the IBM Websphere Application Server by using IBMJCEFIPS as its default security provider. Advantage application on Red Hat JBoss used Bouncy Castle (Non-FIPS version) as the default JCE provider for various tasks like Password Hashing, Digital Signatures, Secure Random, Signature Verification, Encryption, and Decryption and was not FIPS 140-2-compliant.

Starting Advantage 4.3, FIPS-140-2 can be enabled in Advantage applications running on Red Hat JBoss. The application will use the FIPS 140-2-compliant version of the Bouncy Castle as the default security provider in those environments.

All the delivered containers will have the ability to enable FIPS 140-2 compliance in the software by enabling EnableNewSymmetricEncryption flag in ADV30Params.ini. All the Keystores required to operate in FIPS compliant mode are shipped with the container. The site administrator will use the FIPS version of the CSF.properties.

Here are the key differences between clients on Non-FIPS environment and FIPS environments which impacts usability: