Installing the server in FIPS 140-2-compliant mode - PingDirectory

Installing the server in FIPS 140-2-compliant mode - PingDirectory - 9.1

PingDirectory

bundle

pingdirectory-91

ft:publication_title

PingDirectory

Product_Version_ce

PingDirectory 9.1

category

Product

pd-91

pingdirectory

ContentType_ce

Install the server in FIPS 140-2-compliant mode with TLS negotiation and data encryption.

Interactive setup doesn't provide an option to enable FIPS 140-2-compliant mode, and there are currently no other supported providers that can be used to enable FIPS-compliant mode.

Add --fips-provider BCFIPS to the set of arguments used when running setup in non-interactive mode or to the server profile’s setup-arguments.txt file when using manage-profile setup.

The following example provides a sample command line that demonstrates the process for setting up the server in FIPS 140-2-compliant mode. The server only accepts TLS-encrypted LDAP on port 636 and TLS-encrypted HTTP on port 443, but doesn't allow unencrypted connections from either LDAP or HTTP clients. BCFKS key and trust stores are generated from information provided in PEM files, and an encryption settings definition is generated from a specified passphrase.

./setup \
  --fips-provider BCFIPS \
  --no-prompt \
  --acceptLicense \
  --localHostName ds1.example.com \
  --ldapsPort 636 \
  --httpsPort 443 \
  --baseDN "dc=example,dc=com" \
  --rootUserDN "cn=Directory Manager" \
  --rootUserPasswordFile /path/to/root-pw.txt \
  --maxHeapSize 2g \
  --primeDB \
  --sampleData 10001 \
  --certificateChainPEMFile /path/to/server-cert.pem \
  --certificatechainPEMFile /path/to/ca-cert.pem \
  --certificatePrivateKeyPEMFile /path/to/server-key.pem \
  --trustedCertificatePEMFile /path/to/ca-cert.pem \
  --encryptDataWithPassphraseFromFile /path/to/encryption-passphrase.txt \
  --instanceName ds1 \
  --location example-location \
  --noPropertiesFile