Enabling FIPS Compliance in Secret Server

Root > Secret Server
(Applies to Secret Server 7.0 and later)

The Federal Information Processing Standard 140-1 (FIPS 140-1) and its successor FIPS 140-2 are United States Government standards that provide a benchmark for implementing cryptographic software. Secret Server has been tested under environments which are FIPS compliant and operates correctly.

(The Microsoft .NET implementations of AES and SHA are not FIPS certified so Secret Server uses the Windows API versions for encryption functionality which *are* FIPS certified). Here are the FIPS certificate numbers for the Windows operating systems which includes the algorithm implementations that we use:

http://technet.microsoft.com/en-us/library/cc750357.aspx

Supported Operating Systems: Windows Server 2008 and above.

In order to turn on this security feature, system administrators should follow these steps:

Note   Secret Server will be unavailable and may give errors (such as "Parser Error Message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms") until all the steps have been completed.
  1. In Secret Server, click Configuration from the Administration menu and enable the Enable FIPS Compliance setting. 



  2. Enable FIPS Compliance for Windows
    1. Go to Windows Security Policy editor (secpol.msc)
    2. Navigate on your left pane to Security Settings -> Local Policies -> Security Options
    3. Find and go to the property of System Cryptography: Use FIPS Compliant algorithms for encryption, hashing, and signing...
    4. Choose Enable and click OK.

  3. Enable FIPS Compliance inside Secret Server configuration file (Only needed for versions before 8.5.000000 - if you are upgrading to 8.5.00000, you may remove these settings)
    1. Find and open the directory to your installation of Secret Server
    2. Open the web.config XML file as an administrator  
    3. Directly under the first <System.web> tag, add this new tag: <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
    4. Also in your web.config, find <compilation defaultLanguage="c#" debug="true">, and change the attribute of debug to false: <compilation defaultLanguage="c#" debug="false"> **This may be set in your web.config file already.**
      Note   These changes to the web.config file will need to be made after every upgrade of Secret Server as well (please add this step to your upgrade documentation/change control).

  4. Restart your IIS server with iisreset.

If you encounter problems and would like to revert the changes, undo steps 2 and 3  and run the following query in SQL Server Management Studio:
 
  1. UPDATE [dbo].[tbConfiguration] SET FIPSComplianceEnabled = 0
 
Restart your IIS server with the IISReset command from the console.

When using FIPS compliance mode in Secret Server, we use the NIST certified encryption algorithms within the Windows Operating System.


What are the NIST certificate numbers for Secret Server's encryption?

This means that if you are running Secret Server on Windows Server 2008 then the NIST certification is here:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1010

and FIPS here:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1010.pdf

      Add Feedback