Federal
Information Processing Standard (FIPS) 140
The Federal
Information Processing Standard (FIPS) Publication 140-2 is a U.S.
government computer security standard governing cryptographic modules
and is required for any software purchased by the US government and
US military.
Open-source derived cryptographic algorithms implemented
in DMT's C/C++ code base were removed and replaced with RSA's BSAFE
Micro Edition Suite (MES).
RSA’s BSAFE MES is a library that
implements algorithms and provides both FIPS-validated and non-FIPS
implementations of the cryptographic algorithms. The non-FIPS implementations
are used by default. When placed in FIPS 140 mode, DMT causes MES
to use the FIPS 140 validated implementations.
FIPS 140 mode
allows you to use only SNMPv1, SNMPv2c, and SNMPv3 except MD5 and
DES authentication protocols. If you run SNMPv1 or SNMPv2c, then FIPS
140 mode has no impact. If you are using encryption, then you must
use a certified encryption library and only certain encryption routines.
When you discover an SNMPv3 device, you need to select the option
“V3” in the “Add Agent” window. The “Authentication Protocol” option
lists only SHA and not MD5 and the “Privacy Protocol” option lists
only AES and not DES. This is because MD5 and DES are not supported
in FIPS 140 mode. If you discover SNMPv3 devices with MD5 and DES
protocol as seed, discovery fails and the devices go to the Pending
List and display as “Invalid” or “Unsupported SNMP V3 protocol”. ASL
error exception messages are also observed in the IP server logs.
“Support for FIPS 140-2 in IP 9.1” section in Chapter 3, Installing
IP Manager
, in the VMware Telco Cloud Service Assurance Installation Guide for SAM, IP, and ESM Managers
, provides more
information about the FIPS 140 mode implementation.