Using FIPS mode

2.16 Using FIPS mode

On database servers running Oracle Linux 7 or later, you can enable the kernel to run in FIPS mode.

Starting with Oracle Exadata System Software release 20.1.0, you can enable and disable the Federal Information Processing Standards (FIPS) compatibility mode on Oracle Exadata database servers running Oracle Linux 7 or later.

After you enable or disable FIPS mode, you must reboot the server for the action to take effect.

To enable, disable, and get status information about FIPS mode, use the utility at /opt/oracle.cellos/host_access_control with the fips-mode option:

To display the current FIPS mode setting, run:

# /opt/oracle.cellos/host_access_control fips-mode --status

To enable FIPS mode, run:
```
# /opt/oracle.cellos/host_access_control fips-mode --enable
```
Then, reboot the server to finalize the action.
To disable FIPS mode, run:
```
# /opt/oracle.cellos/host_access_control fips-mode --disable
```
Then, reboot the server to finalize the action.
To display information warning about the removal of non-FIPS compliant SSH keys while activating FIPS mode, run:
```
# /opt/oracle.cellos/host_access_control fips-mode --info
```

Note:

Enabling FIPS mode also limits the SSH server Ciphers and MACs for FIPS compliance. If you are using a non-FIPS compliant SSH configuration, then you can be locked out after you reboot the server to activate FIPS mode. To avoid being locked out, carefully review your SSH host keys and configuration before activating FIPS mode.

The following example shows the typical command sequence and command output for enabling and disabling FIPS mode on a server.

# /opt/oracle.cellos/host_access_control fips-mode --status
[2020-04-14 09:19:45 -0700] [INFO] [IMG-SEC-1101] FIPS mode is disabled

# /opt/oracle.cellos/host_access_control fips-mode --enable
[2020-04-14 09:30:10 -0700] [INFO] [IMG-SEC-1107] Using only FIPS compliant
SSH host keys and sshd configuration updated in /etc/ssh/sshd_config
[2020-04-14 09:30:10 -0700] [INFO] [IMG-SEC-1103] FIPS mode is set to
enabled. A reboot is required to effect this change.

# /opt/oracle.cellos/host_access_control fips-mode --status
[2020-04-14 09:30:14 -0700] [INFO] [IMG-SEC-1101] FIPS mode is configured but
not activated. A reboot is required to activate.

# /opt/oracle.cellos/host_access_control fips-mode --info
[2020-04-14 09:30:25 -0700] [INFO] [IMG-SEC-1102] **NOTICE: Non FIPS compliant 
SSH host keys will be removed. A reboot is required to enable FIPS mode.

# reboot

...

# /opt/oracle.cellos/host_access_control fips-mode --status
[2020-04-14 09:23:15 -0700] [INFO] [IMG-SEC-1103] FIPS mode is configured and
active

# /opt/oracle.cellos/host_access_control fips-mode --disable
[2020-04-14 09:40:37 -0700] [INFO] [IMG-SEC-1103] FIPS mode is set to
disabled. A reboot is required to effect this change.

# /opt/oracle.cellos/host_access_control fips-mode --status
[2020-04-14 09:40:37 -0700] [INFO] [IMG-SEC-1103] FIPS mode is disabled but
is active. A reboot is required to deactivate FIPS mode.

# reboot

...

# /opt/oracle.cellos/host_access_control fips-mode --status
[2020-04-14 09:46:22 -0700] [INFO] [IMG-SEC-1101] FIPS mode is disabled

Parent topic: Maintaining Exadata Database Servers