This technical note describes how to configure Reflection for Secure IT Server and Client for UNIX so that they operate in a FIPS 140-2 validated state.
To view the certificate and security policy for the Attachmate Cryptographic Module used by Reflection for Secure IT, see the Computer Security Division: Computer Security Resource Center on the NIST website:
When FIPS mode is enabled, Reflection for Secure IT enforces the following:
Supported ciphers: aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-cbc
Supported Macs: hmac-sha256,hmac-sha1,hmac-sha512
DSA keys must be 1024 bits.
RSA keys must be between 1024 and 8192 bits.
To configure the server for FIPS:
Note: If you change the FipsMode setting on the server, you need to restart the server for the change to take full effect. A SIGHUP signal puts new sessions into FIPS-mode, but does not affect existing connections.
To configure the client for FIPS:
By default Reflection for Secure IT creates a RSA 2048-bit host key, which is a FIPS-approved key strength. If you use the ssh-keygen utility to generate additional public/private key pairs, and specify no options, ssh-keygen generates a 2048-bit RSA key pair. If you specify non-default key type and key length values, you can ensure that these keys are FIPS-compliant by using the -f option. This option enforces key creation using FIPS-approved key strength, as shown in this example.
ssh-keygen -f -t dsa -b 2048
FIPS mode: Invalid value for 'key-length':
DSA keys must be 1024 bits in FIPS mode.
Note: The output of the ssh-keygen is not affected by the FIPSMode keyword. Even if FIPSMode=yes, you should use the -f switch to ensure that keys you create meet FIPS requirements.