In the United States, FIPS (which stands for Federal Information Processing Standard) is a set of rules which outline the basic security needs of cryptographic modules used in computer and telecommunication systems. These rules, or standards, are mandatory for US non-military, government-run systems, as well as for many healthcare and finance businesses that utilize cryptographic modules to protect sensitive data. The most recent publication issued by standards organization NIST is known as FIPS 140-2. In order for products to be sold into those markets that require FIPS 140-2 compliance or validation, it is important for the software components being used to also be FIPS compliant.
Increasingly over time, Tail-f/Cisco’s customers have been requesting for ConfD to provide FIPS mode support. Unfortunately, ConfD at this moment doesn’t provide FIPS support as it doesn’t support using the FIPS operating mode of OpenSSL’s libcrypto for its cryptographic functions. While ConfD might support this in the future, there is an alternative solution that is available today in order to incorporate ConfD into a solution provider’s application that needs to be FIPS compliant. The solution is to remove all cryptographic dependencies from ConfD. Users of ConfD will need to remove the crypto module used by the ConfD daemon and disable crypto support in libconfd which is being linked to ConfD client applications. This change will impact all crypto related features in ConfD and cause some small ConfD features to be unavailable.
Because most of the information for how to do this is either not described or spread out all over ConfD’s user documentation, I have written the application note “ConfD and High Security Applications” to help explain and describe in detail how to reconfigure ConfD to do this and some of the implications on the small features that will no longer be accessible.
By doing what is described in this application note, it will allow ConfD-based products to get to a market that requires FIPS 140-2 quicker.