DataPower

Does Crypto Mode FIPS 140-2 Level 1 work?

  • 1.  Does Crypto Mode FIPS 140-2 Level 1 work?

    Posted Mon March 15, 2021 01:41 AM
    Hello everyone,

    I've been working on security hardening a virtual (VMware) DataPower appliance for a customer, following in part the DataPower handbook and the US DoD STiG advice.

    Our firmware is running 10.0.1.2 (production)

    One of the recommendations is to disable permissive crypto mode by switching to FIPS 140-2 Level 1 mode using the Set Cryptographic Mode panel in Crypto Tools.

    The instruction is to use RBM settings to change the password hash algorithm to sha256crypt and then change all passwords for local accounts. After that, use the Crypto Tools to change the mode from Permissive to FIPS 140-2 Level 1, and click the Set Cryptographic Mode button on the page.

    At this point, the Cryptographic Mode Status page shows the Pending target as FIPS 140-2 Level 1, and the Target and Current modes are both Permissive, which is correct.

    Then finally, the new mode should be activated by a reboot. If the mode activates properly, both the Target and Current mode should show FIPS 140-2 Level 1. If there is anything (like md5crypt password hashes) that prevent the system from rebooting into FIPS mode, the Cryptographic Mode Status page is expected to show Target as FIPS 140-2 Level 1, but Current as Permissive.

    However, with my customer appliance and another test virtual appliance, the status doesn't change after the reboot. The Target and Current continue to show Permissive and the Pending target shows as FIPS 140-2 Level 1, which is what the status was before the reboot.

    Has anyone gotten this mode working on virtual appliances? Is there something that I've missed? Does this still work?

    Regards,

    ------------------------------
    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    Melbourne, Victoria
    IBM Champion (Cloud) 2019-21
    +61 (0) 414 615 334
    ------------------------------