Disable FIPS on Cloud Connector
Skyhigh Cloud Connector is FIPS (Federal Information Processing Standards) compliant by default starting with Skyhigh Cloud Connector 5.4.0.
NOTE: There is a known issue in which the FIPS-enabled Skyhigh Cloud Connector generates SSL errors in the Cloud Connector debug log. The ERR_SSL_PROTOCOL_ERROR error causes enterprise PII detokenization API calls from the Cloud Connector UI to fail and displays error messages on the Cloud Connector UI.
Enable or Disable FIPS for Windows and Linux using CLI Commands
NOTE: This section applies to users who have upgraded Skyhigh Cloud Connector version 6.4.0 or higher.
To enable and disable FIPS for both Windows and Linux operating systems using the below CLI commands.
- Enable FIPS using below CLI command:
PS C:\prod>./shnlpcli enableFIPS --flag true Sample Output: Version Information: VERSION: 6.4.0.2, BUILD-NUMBER: 16, BUILD-ID: 16 true .\shnlps.vmoptions .\shnlpcli.vmoptions Enabling FIPS
- Disable FIPS using below CLI command:
PS C:\prod>./shnlpcli enableFIPS --flag false Sample Output: Version Information: VERSION: 6.4.0.2, BUILD-NUMBER: 16, BUILD-ID: 16 false .\shnlps.vmoptions .\shnlpcli.vmoptions Disabling FIPS
Disable FIPS on Cloud Connector for Windows and Linux
NOTE: This section applies to users who have upgraded Skyhigh Cloud Connector older version below 6.4.0.
If your Skyhigh Cloud Connector version is below 6.4.0, by default FIPS will be enabled on CC and to disable FIPS on the Cloud Connector for Linux and Windows operating systems, perform the following steps:
Disable FIPS on Cloud Connector (Linux)
You must perform the following steps to disable FIPS on your Cloud Connector for Linux:
- Stop the Log Processor Service
- Add Multi-line Comment in Java Security File
- Add Properties in Java Security File
- Start the Log Processor Service
Stop the Log Processor Service
To stop the log processor service:
- Create a backup folder on Linux.
- From the <EC installation Directory>/jre/lib/ext directory, copy the bc-fips-x.x.x.jar and bctls-fips-x.x.xx.jar files to the backup folder.
- Delete the bc-fips-x.x.x.jar and bctls-fips-x.x.xx.jar files from the <EC installation Directory>/jre/lib/ext directory.
NOTE: Make sure to copy the <EC installation Directory>/jre/lib/security/java.security file to the backup folder for future reference.
Add Multi-line Comment in Java Security File
In the <EC installation Directory>/jre/lib/security/java.security java security file, add the following Multi-line comment:
NOTE: You must include a '#' at the beginning of these lines in the java security file.
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun
Add Properties in Java Security File
In the <EC installation Directory>/jre/lib/security/java.security java security file:
- Add the following properties:
NOTE: Make sure that you do not change the letter case.
security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.rsa.SunRsaSign security.provider.3=sun.security.ec.SunEC security.provider.4=com.sun.net.ssl.internal.ssl.Provider security.provider.5=com.sun.crypto.provider.SunJCE security.provider.6=sun.security.jgss.SunProvider security.provider.7=com.sun.security.sasl.Provider security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.9=sun.security.smartcardio.SunPCS
- Set ssl.KeyManagerFactory.algorithm to SunX509 and securerandom.strongAlgorithms to NativePRNGBlocking:SUN.
Start the Log Processor Service
FIPS is disabled on your Cloud Connector for Linux.
Disable FIPS on Cloud Connector (Windows)
You must perform the following steps to disable FIPS on your Cloud Connector for Windows:
- Stop the Log Processor Service
- Add Multi-line Comment in Java Security File
- Add Properties in Java Security File
- Start the Log Processor Service
Stop the Log Processor Service
To stop the log processor service:
- Create a backup folder on Windows.
- From the <EC installation Directory>/jre/lib/ext directory, copy the bc-fips-x.x.x.jar and bctls-fips-x.x.xx.jar files to the backup folder.
- Delete the bc-fips-x.x.x.jar and bctls-fips-x.x.xx.jar files from the <EC installation Directory>/jre/lib/ext directory.
NOTE: Make sure to copy the <EC installation Directory>/jre/lib/security/java.security file to the backup folder for future reference.
Add Multi-line Comment in Java Security File
In the <EC installation Directory>/jre/lib/security/java.security java security file, add the following Multi-line comment:
NOTE: You must include a '#' at the beginning of these lines in the java security file.
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun
Add Properties in Java Security File
In the <EC installation Directory>/jre/lib/security/java.security java security file,
- Add the following properties:
NOTE: Make sure that you do not change the letter case.
security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.rsa.SunRsaSign security.provider.3=sun.security.ec.SunEC security.provider.4=com.sun.net.ssl.internal.ssl.Provider security.provider.5=com.sun.crypto.provider.SunJCE security.provider.6=sun.security.jgss.SunProvider security.provider.7=com.sun.security.sasl.Provider security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.9=sun.security.smartcardio.SunPCSC security.provider.10=sun.security.mscapi.SunMSCAPI
- Set ssl.KeyManagerFactory.algorithm to SunX509.
Start the Log Processor Service
FIPS is disabled on your Cloud Connector for Windows.