Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here

Skyhigh Security

Disable FIPS on Cloud Connector

Skyhigh Cloud Connector is FIPS (Federal Information Processing Standards) compliant by default starting with Skyhigh Cloud Connector 5.4.0.

NOTE: There is a known issue in which the FIPS-enabled Skyhigh Cloud Connector generates SSL errors in the Cloud Connector debug log. The ERR_SSL_PROTOCOL_ERROR error causes enterprise PII detokenization API calls from the Cloud Connector UI to fail and displays error messages on the Cloud Connector UI.

Enable or Disable FIPS for Windows and Linux using CLI Commands 

NOTE: This section applies to users who have upgraded Skyhigh Cloud Connector version 6.4.0 or higher.

To enable and disable FIPS for both Windows and Linux operating systems using the below CLI commands.

  • Enable FIPS using below CLI command:
PS C:\prod>./shnlpcli enableFIPS --flag true

Sample Output:
Version Information: VERSION: 6.4.0.2, BUILD-NUMBER: 16, BUILD-ID: 16
true
.\shnlps.vmoptions
.\shnlpcli.vmoptions
Enabling FIPS
  • Disable FIPS using below CLI command:
PS C:\prod>./shnlpcli enableFIPS --flag false

Sample Output:
Version Information: VERSION: 6.4.0.2, BUILD-NUMBER: 16, BUILD-ID: 16
false
.\shnlps.vmoptions
.\shnlpcli.vmoptions
Disabling FIPS

Disable FIPS on Cloud Connector for Windows and Linux 

NOTE: This section applies to users who have upgraded Skyhigh Cloud Connector older version below 6.4.0.

If your Skyhigh Cloud Connector version is below 6.4.0, by default FIPS will be enabled on CC and to disable FIPS on the Cloud Connector for Linux and Windows operating systems, perform the following steps:

Disable FIPS on Cloud Connector (Linux)

You must perform the following steps to disable FIPS on your Cloud Connector for Linux:

Stop the Log Processor Service

To stop the log processor service:

  1. Create a backup folder on Linux.
  2. From the <EC installation Directory>/jre/lib/ext directory, copy the bc-fips-x.x.x.jar and bctls-fips-x.x.xx.jar files to the backup folder.
  3. Delete the bc-fips-x.x.x.jar and bctls-fips-x.x.xx.jar files from the <EC installation Directory>/jre/lib/ext directory.

NOTE: Make sure to copy the <EC installation Directory>/jre/lib/security/java.security file to the backup folder for future reference.

Add Multi-line Comment in Java Security File

In the <EC installation Directory>/jre/lib/security/java.security java security file, add the following Multi-line comment: 

NOTE: You must include a '#' at the beginning of these lines in the java security file.

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=sun.security.provider.Sun

Add Properties in Java Security File

In the <EC installation Directory>/jre/lib/security/java.security java security file:

  1. Add the following properties:

NOTE: Make sure that you do not change the letter case.

security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCS
  1. Set ssl.KeyManagerFactory.algorithm to SunX509 and securerandom.strongAlgorithms to NativePRNGBlocking:SUN.

Start the Log Processor Service

FIPS is disabled on your Cloud Connector for Linux.

Disable FIPS on Cloud Connector (Windows)

You must perform the following steps to disable FIPS on your Cloud Connector for Windows:

Stop the Log Processor Service

To stop the log processor service:

  1. Create a backup folder on Windows.
  2. From the <EC installation Directory>/jre/lib/ext directory, copy the bc-fips-x.x.x.jar and bctls-fips-x.x.xx.jar files to the backup folder.
  3. Delete the bc-fips-x.x.x.jar and bctls-fips-x.x.xx.jar files from the <EC installation Directory>/jre/lib/ext directory.

NOTE: Make sure to copy the <EC installation Directory>/jre/lib/security/java.security file to the backup folder for future reference.

Add Multi-line Comment in Java Security File

In the <EC installation Directory>/jre/lib/security/java.security java security file, add the following Multi-line comment: 

NOTE: You must include a '#' at the beginning of these lines in the java security file.

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=sun.security.provider.Sun

Add Properties in Java Security File

In the <EC installation Directory>/jre/lib/security/java.security java security file,

  1. Add the following properties:

NOTE: Make sure that you do not change the letter case.

security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
security.provider.10=sun.security.mscapi.SunMSCAPI
  1. Set ssl.KeyManagerFactory.algorithm to SunX509.

Start the Log Processor Service

FIPS is disabled on your Cloud Connector for Windows.

  • Was this article helpful?