FIPS 140-2 compliance statement
Contents
a. About OpenText Analytics Database
1. Summary
OpenText™ Analytics Database complies with Federal Information Processing Standard 140-2 (FIPS 140-2), which defines the technical requirements to be used by Federal Agencies when these organizations specify cryptographic-based security systems for protection of sensitive or valuable data. The compliance of the database with FIPS 140-2 is ensured by: 1) Integrating validated and NIST-certified third party cryptographic module(s), and using the module(s) as the only provider(s) of cryptographic services; 2) Using FIPS-approved cryptographic functions; 3) Using FIPS-approved and NIST-validated technologies applicable for the database design, implementation and operation.
2. Overview
a. About OpenText Analytics Database
-
OpenText™ Analytics Database is a high performance relational database management system used for advanced analytics applications. Its performance and scale is achieved through a columnar storage and execution architecture that offers a massively parallel processing solution. Aggressive encoding and compression allows the database to perform by reducing CPU, memory and disk I/O Processing times.
-
For more details about the database and its usage, see Architecture.
FIPS (Federal Information Processing Standard) 140-2, Security requirements for cryptographic modules, is the Federal standard for proper cryptography for computer systems purchased by the government.
The Federal Information Processing Standards Publication (FIPS) 140-2, “Security Requirements for Cryptographic Modules,” was issued by the National Institute of Standards and Technology (NIST) in May, 2001.
The benefits of using FIPS 140-2 validated crypto module is that the crypto algorithms are deemed appropriate and that they perform the encrypt/decrypt/hash functions correctly. The standard specifies the security requirements for cryptographic modules utilized within a security system that protects sensitive or valuable data. The requirements can be found in the following documents:
- SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
- Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules
3. Database and FIPS 140-2
FIPS 140-2 validated third party module
The database conforms with FIPS 140-2 Level 1 compliance by dynamically linking to the FIPS 140-2 approved OpenSSL cryptographic module provided by the Operating System, which in our initial release is Red Hat Enterprise Linux 6.6 OpenSSL Module.
The database can be configured to operate in FIPS-compliant mode ensuring its functions and procedures like SSL/TLS connections, which require cryptography (secure hash, encryption, digital signatures, etc.) makes use of the crypto services provided by RedHat Enterprise Linux 6.6 OpenSSL Module v3.0 which is validated for FIPS 140-2. If you are not running on a FIPS-compliant operating system that the database supports, you will not be able to run the database on FIPS mode. The assurance that the database is using the right FIPS 140-2 encryption modules is managed at the operating system level by RedHat’s implementation.
The database checks the OS level flag setting /proc/sys/crypto/fips_enabled to kick off the FIPS mode installation. Further details about how to install and configure the database and its components to conform to FIPS 140-2 standard appear in the installation and security guides:
Modes of Operation
The database server operates in one of two modes determined by the OS configuration.
-
FIPS-compliant mode – supports FIPS 140-2 compliant cryptographic functions. In this mode, all cryptographic functions, default algorithms and key lengths are bound to those allowed by FIPS 140-2.
-
Standard mode – non-FIPS 140-2 compliant mode which utilizes all existing database cryptography functions.
TLS/SSL3.x
All the client/server communications can be secured with FIPS-compliant Transport Layer Security TLS1.2/SSL3.1 or higher. It is relying on FIPS 140-2 approved hash algorithms and ciphers.
-
TLS handshake, key negotiation and authentication provides data integrity and uses secure hash and FIPS 140-2 approved cryptography and digital signature.
-
TLS encryption of data in transit provides confidentiality and making use of FIPS 140-2 approved cryptography.
Secure Hash
Per FIPS 140-2 standards, the database, in the FIPS 140-2 compliant mode, can be configured to use only the SHA-512 algorithm.
FIPS 140-2 Architecture
OpenText™ Analytics Database is a relational database system that is comprised of a client component and a server component. On the client Side, we offer a suite of drivers for host clients to access the server-side component. Both client and server components conform to FIPS 140-2 Level 1 compliance by dynamically linking to the FIPS 140-2 approved OpenSSL cryptographic module provided by RedHat Enterprise Linux 6.6 OpenSSL Module.
Supported Platforms
See FIPS 140-2 supported platforms for information about FIPS-compliant operating systems and client drivers that the database supports.
Design Assurance
The database uses the security provider Red Hat Enterprise Linux 6.6 OpenSSL Module v3.0. This is the only supported security provider for FIPS 140-2.
Once you have configured the database to be compliant with FIPS 140-2, you cannot revert back to the standard configuration unless you disable FIPS 140-2 at the operating system level. Please reference the following documentation section for considerations: