Enable the EMS Server

Note: The EMS server supports FIPS compliance only on the Linux, Solaris, and Windows platforms.

To enable FIPS 140-2 operations in the EMS server:

  • Set the fips140-2 parameter in the main configuration file to true.
  • Ensure that incompatible parameters, listed below, are not included in the server configuration files.
  • Ensure that the ssl_server_ciphers parameter for the EMS server is configured to use a supported cipher suite. Supported cipher suites are listed below.

When fips140-2 is enabled, on start-up the EMS server initializes in compliance with FIPS 140-2. If the initialization is successful, the EMS server prints a message indicating that it is operating in this mode. If the initialization fails, the server exits (regardless of the startup_abort_list setting).

Incompatible Parameters

In order to operate in FIPS compliant mode, you must not include these parameters in the tibemsd.conf file:

These parameters cannot be included in the routes.conf file:

Supported Cipher Suites

Only the following cipher suites are supported by the EMS server when it is started in FIPS mode:

  • AES128-SHA  
  • AES256-SHA  
  • DES-CBC3-SHA  
  • DHE-DSS-AES128-SHA  
  • DHE-DSS-AES256-SHA  
  • DHE-RSA-AES128-SHA  
  • DHE-RSA-AES256-SHA  
  • EDH-DSS-DES-CBC3-SHA  
  • EDH-RSA-DES-CBC3-SHA