SFTP Gateway Support

3.0

Azure Enable Fips Mode

Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.

Background

To help comply with Federal Information Processing Standard (FIPS) 140-2, RHEL-based operating systems such as CentOS 7 come with a "FIPS mode". Once enabled, cryptographic modules such as OpenSSH server operate with a configuration that complies with FIPS 140-2. This article walks you through enabling FIPS mode for SFTP Gateway.

Enabling FIPS mode on SFTP Gateway

To enable FIPS mode on your CentOS 7 SFTP Gateway server:

  1. SSH in to the SFTP Gateway server with the Linux admin user

  2. Update the OS packages:

    sudo yum update -y

  3. Install and enable the FIPS module:

    sudo yum install -y dracut-fips
sudo dracut -f

  4. Enable FIPS mode by adding kernel argument:

    
sudo /usr/sbin/grubby --update-kernel=ALL --args="fips=1"

  5. Reboot the OS:

    sudo reboot

Verify FIPS Mode is Enabled

To verify that FIPS mode is enabled on you CentOS 7 SFTP Gateway server

  1. At the operating system level, run the command:

    sysctl crypto.fips_enabled

    The output should read:

    crypto.fips_enabled = 1

  2. Check the OpenSSL version:

    openssl version

    For example, the output may be “OpenSSL 1.0.2k-fips”.

  3. To further verify that OpenSSL is configured correctly, attempting to execute OpenSSL with a non-FIPS validated algorithm such as Secure Hashing Algorithm (SHA). This should result in an error stating “Disabled for FIPS”.

    openssl sha

    Example output of this command:

    139769536427936:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:

  4. To verify the OpenSSH server is using the intended FIPS mode:

    ssh localhost 2 | grep FIPS

    The output should read:

    FIPS mode initialized
Getting started with using Blob FuseSet uploads folder as the default