Federal Information Processing Standard (FIPS)

The United States Government's Federal Information Processing Standard (FIPS) 140-2 specifies security requirements for cryptographic modules. Cryptographic products are validated against a specific set of requirements and tested in 11 categories by independent, U.S. Government-certified testing laboratories. This validation is then submitted to the National Institute of Standards and Technology (NIST), which reviews the validation and issues a certificate. In addition, cryptographic algorithms may also be validated and certified based on other FIPS specifications. The list of certified products and the vendor's stated security policy (the definition of what the module has been certified to do) can be found at: http://csrc.nist.gov/cryptval/vallists.htm.

To configure Reflection for Secure IT to run in FIPS mode, select Use only FIPS-140 certified cryptography algorithms from the Encryption pane and restart the server.

Enabling FIPS Mode has the following effects:

• All connections must be made using algorithms that meet FIPS 140-2 standards. Algorithms that don't meet these standards are not available, except where these algorithms are allowed by NIST for legacy compatibility.
• Minimum public key sizes for both user and host keys and certificates are reset from the default of 512 bits up to 1024 bits. Previously configured keys that do not meet this threshold will not be used.
• If host certificates from the Windows local computer certificate store are used for server authentication, they must have exportable private keys.
• Because Reflection for Secure IT cannot verify the FIPS status of SecurID, GSSAPI/SSPI, and RADIUS binaries, these authentication methods need to be manually disabled by the system administrator if they are not FIPS validated.

Note: You need to restart the server after changing FIPS mode for the change to take effect.