Configuring FIPS for ORS on Windows

With the newer OpenSSL 3.x that comes supported with ORS 8.1.401.11+, in addition to setting the option scxml\fips-enabled, additional configuration steps are necessary to enable FIPS.

In ORS 8.1.401.11 and later versions, FIPS related modules/tools are located as follows:

• fips.dll is located in <ORS_installation_folder>\fips\fips.dll
• openssl.exe is located in <ORS_installation_folder>\tools\openssl.exe

To enable FIPS, follow these steps:

1. Create an FIPS module configuration file, fipsmodule.cnf using the openssl utility:

   openssl fipsinstall -out C:\GCTI\ORS_FIPS_CFG\fipsmodule.cnf -module C:\GCTI\ORS_8.1.401.11\fips\fips.dll

2. Create an OpenSSL configuration file, openssl.cnf that includes fipsmodule.cnf, in the C:\GCTI\ORS_FIPS_CFG folder.

   config_diagnostics = 1
   openssl_conf = openssl_init
   
   .include C:/GCTI/ORS_FIPS_CFG/fipsmodule.cnf
   
   [openssl_init]
   providers = provider_sect
   
   [provider_sect]
   fips = fips_sect
   base = base_sect
   
   [base_sect]
   activate = 1

   Important

   When mentioning the path for fipsmodule.cnf, you must use forward slashes, for example, C:/GCTI/ORS_FIPS_CFG/fipsmodule.cnf.

3. Set the OPENSSL_CONF environment variable that points to the location and filename of openssl.cnf.

   set OPENSSL_CONF=C:\GCTI\ORS_FIPS_CFG\openssl.cnf

4. Set the OPENSSL_MODULES environment variable that points to the folder with fips.dll.

   set OPENSSL_MODULES=C:\GCTI\ORS_8.1.401.11\fips

5. (Optional) You can verify that FIPS is configured properly using the openssl list -providers command before starting ORS.

   openssl list -providers
   Providers:
     base
       name: OpenSSL Base Provider
       version: 3.0.10
       status: active
     fips
       name: OpenSSL FIPS Provider
       version: 3.0.10
       status: active

6. Start ORS only after the variables OPENSSL_CONF and OPENSSL_MODULES are set.