Federal Information Processing Standards (FIPS) 140-2 Support

CA EEM can operate in a non-FIPS mode or in a FIPS-only mode. The cryptographic boundaries, that is, the way CA EEM applies encryption, are the same in both modes, but the algorithms are different.
caeem126
CA EEM can operate in a non-FIPS mode or in a FIPS-only mode. The cryptographic boundaries, that is, the way CA EEM applies encryption, are the same in both modes, but the algorithms are different.
Overview
FIPS 140-2 publication specifies the requirements for using cryptographic algorithms within a security system protecting sensitive, unclassified data. CA EEM Server embeds Fips Object Module (FOM) from OpenSSL, which has been validated as meeting the FIPS 140-2 
Security Requirements for Cryptographic Modules.
 The validation certificate number for this module is 1747.
CA EEM Java SDK can be configured to use any third party cryptographic library that has been validated by NIST. CA EEM C++ SDK embeds CAPKI 5.2.x which uses OpenSSL FOM cryptography libraries.
Computer products that use FIPS 140-2 accredited cryptographic modules in their FIPS-accredited mode can only use FIPS approved security functions such as AES (Advanced Encryption Algorithm), SHA-1 (Secure Hash Algorithm), and higher level protocols such as TLS v1.1 or TLSv1.2 as explicitly allowed in the FIPS 140-2 standard and implementation guides.
In FIPS-only mode, CA EEM uses the following algorithms:
  • SHA1, SHA256, SHA384 - For managing client-server communication.
  • SHA512 - For storing user passwords.
    CA EEM applies SHA512 to the password digest only if you update the password digest. Until you update, CA EEM accepts the existing password in the password digest.
  • SHA256 -  For managing application certificates.
  • TLS v1.0 - For communication with external LDAP directories if the LDAP connection is over TLS.