The Federal Information Processing Standard 140-1 (FIPS 140-1) and its successor FIPS 140-2 are United States Government standards that provide a benchmark for implementing cryptographic software. Secret Server has been tested under environments which are FIPS compliant and operates correctly.
(The Microsoft .NET implementations of AES and SHA are not FIPS certified so Secret Server uses the Windows API versions for encryption functionality which *are* FIPS certified). Here are the FIPS certificate numbers for the Windows operating systems which includes the algorithm implementations that we use:
Supported Operating Systems: Windows Server 2008 and above.
In order to enabled this feature after Secret Server has been installed, follow the steps below (applies to Secret Server 7.0 and later):
Note: Secret Server will be unavailable and may give errors (such as "Parser Error Message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms") until all the steps have been completed.
During installation of Secret Server, if FIPS compliance for Windows has been enabled before it can be set in Secret Server's configuraton setting, this will result in 'InvalidOperationException' error message. To resolve the issue, please contact support for assistance.
If FIPS is enabled as part of a domain group policy, it will need to be disabled from there before the option can be enabled in the UI, otherwise an error may occur. It can be re-enabled using group policy once the feature has been enabled in the application.
- In Secret Server, click Configuration from the Administration menu and enable the Enable FIPS Compliance setting.
- Enable FIPS Compliance for Windows
- Go to Windows Security Policy editor (secpol.msc)
- Navigate on your left pane to Security Settings -> Local Policies -> Security Options
- Find and go to the property of System Cryptography: Use FIPS Compliant algorithms for encryption, hashing, and signing...
- Choose Enable and click OK.
- Enable FIPS Compliance inside Secret Server configuration file (Only needed for versions before 8.5.000000 - if you are upgrading to 8.5.00000, you may remove these settings)
- Find and open the directory to your installation of Secret Server
- Open the web.config XML file as an administrator
- Directly under the first <System.web> tag, add this new tag: <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
- Also in your web.config, find <compilation defaultLanguage="c#" debug="true">, and change the attribute of debug to false: <compilation defaultLanguage="c#" debug="false"> **This may be set in your web.config file already.**
Note These changes to the web.config file will need to be made after every upgrade of Secret Server as well (please add this step to your upgrade documentation/change control).
- Restart your IIS server with iisreset.
If you encounter problems and would like to revert the changes, undo steps 2 and 3 and run the following query in SQL Server Management Studio:
UPDATE [dbo].[tbConfiguration] SET FIPSComplianceEnabled = 0
Restart your IIS server with the IISReset command from the console.