How to Enable FIPS on SLES
This document (7023789) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
Situation
Resolution
Before beginning, check to see if FIPS is already enabled.
Run: sysctl -a | grep fips
susesystem:/home/user # sysctl -a | grep fips crypto.fips_enabled = 0
crypto.fips_enabled = 0 shows that fips is not running. If crypto.fips_enabled = 1, then fips is running.
Note that it may be wise to make a backup of this system. If this fails, the system will not boot. If you are in this state, you will need to edit the grub line and remove fips=1 and boot.
1. Install the FIPS pattern.:
Run: zypper in -t pattern fips
2. Edit /etc/default/grub and add fips=1 to end of line.
If this system has a separate boot partition, it is REQUIRED to add boot=/dev/sda1 (use the correct path to your boot partition) or fips will fail and the system may not boot.
In the following example, there is not a separate boot partition:
3. Recreate the grub.cfg file:
Run: grub2-mkconfig -o /boot/grub2/grub.cfg
4. Recreate the initrd:
Run: mkinitrd
5. Reboot the system.
6. After the system is booted, verify if FIPS is enabled:
Run: sysctl -a | grep fips
susesystem:/home/user # sysctl -a | grep fips
crypto.fips_enabled = 1
Cause
Additional Information
zypper in crypto-policies-scriptsNote that FIPS must be enabled at least once, otherwise openssh will still fail to start. Just run:
fips-mode-setup --enable
Related information can be found here:
Configuring xrdp for FIPS compliance
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7023789
- Creation Date: 21-Mar-2019
- Modified Date:10-Jun-2024
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com