HMG and HSG

Enabling/Disabling FIPS Cryptographic Modules

With HMG and HSG 3.7.5+, the hardware-based cryptographic modules are no longer used. Instead software-based FIPs modules are available. To enable them:

  1. SSH into your HMG or HSG.

  2. Elevate to root.

  3. Edit the /etc/pki/tls/openssl.cnf file and add the following after the oid_section = new_oids line:

    # OpenSSL configuration fragment for HaiOS WolfEngine config.
    # Templated at build time with values.
    openssl_conf = openssl_init
    [openssl_init]
    engines = engine_section
    [engine_section]
    wolfSSL = wolfssl_section
    [wolfssl_section]
    engine_id = libwolfengine
    dynamic_path = /opt/haivision/usr/lib64/haios-openssl-engine/libwolfengine.so
    init = 1
    default_algorithms = ALL
    enable_fips_checks = 1
    # --- generated engine ctrl options below this line ---
    
  4. Edit the /opt/haivision/madra/conf/ssl/openssl.cnf file and add the following after the oid_section = new_oids line:

    # OpenSSL configuration fragment for HaiOS WolfEngine config
    # Templated at build time with values.
    openssl_conf = openssl_init
    [openssl_init]
    engines = engine_section
    [engine_section]
    wolfSSL = wolfssl_section
    [wolfssl_section]
    engine_id = libwolfengine
    dynamic_path = /opt/haivision/usr/lib64/haios-openssl-engine/libwolfengine.so
    init = 1
    default_algorithms = ALL
    enable_fips_checks = 1
    # --- generated engine ctrl options below this line ---
    
  5. Reboot your Gateway.

To disable FIPS:

  1. SSH into your HMG or HSG.

  2. Elevate to root.

  3. Edit the /etc/pki/tls/openssl.cnf file and remove the changes made when enabling FIPS. See the procedure above.

  4. Edit the /opt/haivision/madra/conf/ssl/openssl.cnf file and remove the changes made when enabling FIPS. See the procedure above.

  5. Reboot your Gateway.