Enabling/Disabling FIPS Cryptographic Modules
With HMG and HSG 3.7.5+, the hardware-based cryptographic modules are no longer used. Instead software-based FIPs modules are available. To enable them:
- SSH into your HMG or HSG.
- Elevate to root.
Edit the
/etc/pki/tls/openssl.cnffile and add the following after theoid_section = new_oidsline:CODE# OpenSSL configuration fragment for HaiOS WolfEngine config. # Templated at build time with values. openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] wolfSSL = wolfssl_section [wolfssl_section] engine_id = libwolfengine dynamic_path = /opt/haivision/usr/lib64/haios-openssl-engine/libwolfengine.so init = 1 default_algorithms = ALL enable_fips_checks = 1 # --- generated engine ctrl options below this line ---Edit the
/opt/haivision/madra/conf/ssl/openssl.cnffile and add the following after theoid_section = new_oidsline:CODE# OpenSSL configuration fragment for HaiOS WolfEngine config # Templated at build time with values. openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] wolfSSL = wolfssl_section [wolfssl_section] engine_id = libwolfengine dynamic_path = /opt/haivision/usr/lib64/haios-openssl-engine/libwolfengine.so init = 1 default_algorithms = ALL enable_fips_checks = 1 # --- generated engine ctrl options below this line ---- Reboot your Gateway.
To disable FIPS:
SSH into your HMG or HSG.
Elevate to root.
Edit the
/etc/pki/tls/openssl.cnffile and remove the changes made when enabling FIPS. See the procedure above.- Edit the
/opt/haivision/madra/conf/ssl/openssl.cnffile and remove the changes made when enabling FIPS. See the procedure above. - Reboot your Gateway.