You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by mickhayes <mi...@gmail.com> on 2012/06/21 16:10:37 UTC
Re: FIPS 140-2
I came across this FIPS topic on introduction of Mozilla NSS in our
organisation (we have a fairly detailed procedure when new FOSS software is
introduced.)
To answer the question, ActiveMQ isn't on the published lists, so the answer
is no -a product is not compliant until it has been certified as such.
Once a module is validated, then it's on the validated lists:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
However, I would question whether ActiveMQ needs to be - perhaps a "FIPS
mode" would suffice.
Consider NSS. Now it's validated - FIPS 140-2 compliant. So Firefox has a
FIPS mode. Once you have a password for your "encryption device" you can
turn on FIPS mode.
ActiveMQ - like Firefox -doesn't itself own or develop any cryptographic
modules.
At a simple level, for encrypted passwords, the Apache V2-licensed jasypt
library is used http://www.jasypt.org
Jasypt relies on JCE.
You can see on csrc.nist.gov which JCE modules have been validated as
compliant.
Note the concept of "FIPS mode" - explained well here:
https://developer.mozilla.org/en/NSS/FIPS_Mode_-_an_explanation
-----
Michael Hayes B.Sc. (NUI), M.Sc. (DCU), SCSA SCNA
--
View this message in context: http://activemq.2283324.n4.nabble.com/FIPS-140-2-tp4653345p4653436.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: FIPS 140-2
Posted by mickhayes <mi...@gmail.com>.
I'm not aware of any such thing.
As it would be useful for some customers, I would imagine it would be
well-advertised (and it is not.)
You would /ideally /have a FIPS mode in ActiveMQ, which when switched on,
would call
FIPS_mode_set() so ALL encryption would be done by the FIPS Object Module.
However, I note there is another way to do this in *5.2 "FIPS Mode
Initialization" of the User Guide* with “fips_mode = yes” hardcoded in the
openssl config file.
Is that good enough?
Sorry I'm not in a position to try it out...
-----
Michael Hayes B.Sc. (NUI), M.Sc. (DCU), SCSA SCNA
--
View this message in context: http://activemq.2283324.n4.nabble.com/FIPS-140-2-tp4653345p4653469.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: FIPS 140-2
Posted by jerbia <je...@gmail.com>.
Thanks Michael for the detailed reply!
Do you know what is the case for OpenSSL, used by ActiveMQ for secured
communication (ssl)?
Are there any ActiveMQ distribution compiled with a FIPS-complaint openSSL
version (http://www.openssl.org/docs/fips/fipsnotes.html)?
Thanks,
Amir
On Thu, Jun 21, 2012 at 5:10 PM, mickhayes [via ActiveMQ] <
ml-node+s2283324n4653436h66@n4.nabble.com> wrote:
> I came across this FIPS topic on introduction of Mozilla NSS in our
> organisation (we have a fairly detailed procedure when new FOSS software is
> introduced.)
>
> To answer the question, ActiveMQ isn't on the published lists, so the
> answer is no -a product is not compliant until it has been certified as
> such.
> Once a module is validated, then it's on the validated lists:
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
>
>
> However, I would question whether ActiveMQ needs to be - perhaps a "FIPS
> mode" would suffice.
>
> Consider NSS. Now it's validated - FIPS 140-2 compliant. So Firefox has a
> FIPS mode. Once you have a password for your "encryption device" you can
> turn on FIPS mode.
>
> ActiveMQ - like Firefox -doesn't itself own or develop any cryptographic
> modules.
> At a simple level, for encrypted passwords, the Apache V2-licensed jasypt
> library is used http://www.jasypt.org
> Jasypt relies on JCE.
>
> You can see on csrc.nist.gov which JCE modules have been validated as
> compliant.
>
> Note the concept of "FIPS mode" - explained well here:
> https://developer.mozilla.org/en/NSS/FIPS_Mode_-_an_explanation
>
>
>
> Michael Hayes B.Sc. (NUI), M.Sc. (DCU), SCSA SCNA
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://activemq.2283324.n4.nabble.com/FIPS-140-2-tp4653345p4653436.html
> To unsubscribe from FIPS 140-2, click here<http://activemq.2283324.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4653345&code=amVyYmlhQGdtYWlsLmNvbXw0NjUzMzQ1fDE4NjAwMDczMDQ=>
> .
> NAML<http://activemq.2283324.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://activemq.2283324.n4.nabble.com/FIPS-140-2-tp4653345p4653439.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.