Article By: Eunice Mushawatu
The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that defines minimum security requirements for cryptographic modules in information technology products, as defined in Section 5131 of the Information Technology Management Reform Act of 1996. The layer7 API gateway appliances as of version 10, do not allow FIPS to be enabled at the OS level. The gateway needs to be configured to meet FIPS standards. This article will go over the different settings to get the API gateway to meet FIPS compliance and avoid potential findings.
The use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC). The CA API Gateway uses the RSA BSAFE Crypto-J Software Module for cryptographic hashing, which is validated to FIPS 140-2 overall Level 1 when operated in FIPS mode. FIPS mode is not enabled by default and must be enabled on the CA API Gateway. Hashing algorithms used in signature operations are configured as per the assertion in the policy.
Task 1: Enable FIPS cluster variable
1. Open the Layer7 API Gateway policy manager
2. Click ‘Tasks’ and select ‘Manage Cluster-Wide Properties’
3. Click ‘Add’ and select ‘security.fips.enabled’ from the ‘Key:’ drop-down list
4. Set the value to ‘True’ and click ‘OK’
5. Login via SSH to each server listed in Table 1 – CA Identity Manager R12 SP7 Web Application Servers pertaining to the environment you are working in as the Linux user “webuser”.
Task 2: Disable TLS 1.0
1. Click ‘Tasks’ and select ‘Manage Listen Ports’
2. Double click on each SSL listen port, select the SSL\TLS settings and deselect TLS 1.0 and select TLS 1.1 and TLS 1.2
Task 4: Verify Enabled Cipher Suites
Verify that each Enabled Cipher Suites with a checkmark is included in NIST SP 800-52 section 3.3.2 Cipher Suites (or Appendix C if applicable).
Task 5: Use only approved secure hashes
1. This last task applies to the actual policies for published services when using the following assertions enable only the approved secure hashes: Sign XML Element assertion, Sign Element assertion or the Generate Security Hash assertion.
2. Also verify SHA-1 and below are not selected wherever appropriate.
Looking for additional help with FIPS compliance? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including Broadcom API gateway and more. Take your interoperability to the next level, and contact an ISX consultant today.