Configuring FIPS for ORS on Linux
With the newer OpenSSL 3.x that comes supported with ORS 8.1.401.13+, in addition to setting the option scxml\fips-enabled, additional configuration steps are necessary to enable FIPS.
To enable FIPS, follow these steps:
- Run the fipsinstall.sh script provided in the ORS installation folder.
- This script runs the FIPS module self-test and generates proper OpenSSL configuration files openssl.cnf and fipsmodule.cnf that are mandatory for FIPS mode.
- Set the following environment variables as fipsinstall.sh suggests:
- LD_LIBRARY_PATH to <ORS install directory>/fips and <ORS install directory>/lib64 directory
- OPENSSL_MODULES to <ORS install directory>/fips directory
- OPENSSL_CONF to <ORS install directory>/openssl.cnf file
Important
- If ORS is started by Local Control Agent (LCA), ensure that the above environment variables are set for the session/account from which ORS is starting.
- The procedure for enabling FIPS mode is similar to the procedure for Genesys Security Pack, but it is important to have LD_LIBRARY_PATH to point to <ORS install directory>/fips instead of the folder of Genesys Security Pack.
- When configuring ORS for a secure connection, like TLS, in non-FIPS mode, ensure that:
- ORS option scxml\fips-enabled is set to false
- None of the OPENSSL_MODULES and OPENSSL_CONF environment variables are defined
- LD_LIBRARY_PATH includes the Genesys Security Pack folder instead of <ORS install directory>/fips
This page was last edited on November 28, 2024, at 15:15.
Comments or questions about this documentation? Contact us for support!