IntroductionFIPS support

FIPS support

Rocket Terminal Emulator Desktop uses one or more FIPS 140-2 validated cryptographic modules for encryption and decryption. The exact modules used depend on the Windows operating system in use, and in the case of secure host sessions, on the session's configured security settings. For secure host sessions, and for file or password encryption, Rocket TE uses the Microsoft Crypto API.

The master list of FIPS 140-2 validation certificates can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.

Some of the FIPS 140-2 validation certificates for the Microsoft Crypto API are:

  • #893 - Windows Vista Enhanced Cryptographic Provider

  • #1330 - Windows 7 Enhanced Cryptographic Provider

  • #1894 - Windows 8 Enhanced Cryptographic Provider

Note: Different Windows operating systems, or different revisions of the above operating systems, may have different or additional certificates, consult the master list at the website above. For further information on FIPS 140 Validation of Windows versions and components, see: https://technet.microsoft.com/en-us/library/security/cc750357.aspx.
The cryptographic modules above must be put into FIPS mode in order to operate in a manner consistent with their FIPS 140-2 validations. The Microsoft Crypto API modules' FIPS settings can be found and changed through the Windows Control Panel. Windows 7: Control Panel, Administrative Tools, Local Security Policy, Local Policies, Security Options, System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms. FIPS mode can also be found and changed directly through the registry by setting:

  • HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled (Windows Vista and later)

  • HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy (earlier Windows versions)

If Windows is operating in FIPS mode, then Rocket TE's cryptographic functions using the Crypto API will operate in FIPS mode.

Rocket TE's cryptographic functions using the OpenSSL FIPS Object Module depend on whether Rocket TE is installed in FIPS mode or not. This is controlled by the following settings in the [BZSetup] section of the setup.ini file: 
FIPSMode=Yes 
FIPSMode=No

The Rocket TE FIPS mode setting can be determined by viewing the About Box in a Rocket TE module which supports secure sessions (Mainframe, iSeries, VT, FTP). In Mainframe and iSeries sessions, the About tab in the Connection Properties contains the FIPS mode settings for both OpenSSL and Windows.

The following Rocket TE features are disabled when in FIPS mode:

  • SSH

  • SSLv3

  • VT single sign on using Kerberos

  • iSeries sign on screen bypass using DES or Kerberos

Parent topic: Introduction

Related topics
Enabling FIPS mode support