Disable FIPS on Cloud Connector
Skyhigh Cloud Connector is FIPS (Federal Information Processing Standards) compliant by default starting with Skyhigh Cloud Connector 5.4.0.
NOTE: There is a known issue in which the FIPS-enabled Skyhigh Cloud Connector generates SSL errors in the Cloud Connector debug log. The ERR_SSL_PROTOCOL_ERROR error causes enterprise PII detokenization API calls from the Cloud Connector UI to fail and displays error messages on the Cloud Connector UI.
You can disable FIPS on the Cloud Connector for Linux and Windows operating systems.
Disable FIPS on Cloud Connector (Linux)
You must perform the following steps to disable FIPS on on your Cloud Connector for Linux:
- Stop the Log Processor Service
- Add multi line comment in java security file
- Add properties in java security file
- Start the Log Processor Service
Stop the Log Processor Service
To stop the log processor service:
- Create a backup folder on Linux.
- From the <EC installation Directory>/jre/lib/ext directory, copy the bc-fips-x.x.x.jar and bctls-fips-x.x.xx.jar files to the backup folder.
- Delete the bc-fips-x.x.x.jar and bctls-fips-x.x.xx.jar files from the <EC installation Directory>/jre/lib/ext directory.
NOTE: Make sure to copy the <EC installation Directory>/jre/lib/security/java.security file to the backup folder for future reference.
Add multi line comment in java security file
In the <EC installation Directory>/jre/lib/security/java.security java security file, add the following multi line comment:
NOTE: You must include a '#' at the beginning of these lines in the java security file.
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun
Add properties in java security file
In the <EC installation Directory>/jre/lib/security/java.security java security file:
- Add the following properties:
NOTE: Make sure that you do not change the letter case.security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.rsa.SunRsaSign security.provider.3=sun.security.ec.SunEC security.provider.4=com.sun.net.ssl.internal.ssl.Provider security.provider.5=com.sun.crypto.provider.SunJCE security.provider.6=sun.security.jgss.SunProvider security.provider.7=com.sun.security.sasl.Provider security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.9=sun.security.smartcardio.SunPCS
- Set ssl.KeyManagerFactory.algorithm to SunX509 and securerandom.strongAlgorithms to NativePRNGBlocking:SUN.
Start the Log Processor Service
FIPS is disabled on your Cloud Connector for Linux.
Disable FIPS on Cloud Connector (Windows)
You must perform the following steps to disable FIPS on on your Cloud Connector for Windows:
- Stop the Log Processor Service
- Add multi line comment in java security file
- Add properties in java security file
- Start the Log Processor Service
Stop the Log Processor Service
To stop the log processor service:
- Create a backup folder on Windows.
- From the <EC installation Directory>/jre/lib/ext directory, copy the bc-fips-x.x.x.jar and bctls-fips-x.x.xx.jar files to the backup folder.
- Delete the bc-fips-x.x.x.jar and bctls-fips-x.x.xx.jar files from the <EC installation Directory>/jre/lib/ext directory.
NOTE: Make sure to copy the <EC installation Directory>/jre/lib/security/java.security file to the backup folder for future reference.
Add multi line comment in java security file
In the <EC installation Directory>/jre/lib/security/java.security java security file, add the following multi line comment:
NOTE: You must include a '#' at the beginning of these lines in the java security file.
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun
Add properties in java security file
In the <EC installation Directory>/jre/lib/security/java.security java security file,
- Add the following properties:
NOTE: Make sure that you do not change the letter case.
security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.rsa.SunRsaSign security.provider.3=sun.security.ec.SunEC security.provider.4=com.sun.net.ssl.internal.ssl.Provider security.provider.5=com.sun.crypto.provider.SunJCE security.provider.6=sun.security.jgss.SunProvider security.provider.7=com.sun.security.sasl.Provider security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.9=sun.security.smartcardio.SunPCSC security.provider.10=sun.security.mscapi.SunMSCAPI
- Set ssl.KeyManagerFactory.algorithm to SunX509.
Start the Log Processor Service
FIPS is disabled on your Cloud Connector for Windows.