SECURING
Federal Information Processing Standard (FIPS) 140-2 certification
The Federal Information Processing Standard (FIPS) regulates cryptography and the use of cryptographic libraries. The cryptographic library is the .dll file that stores encryption algorithms. Cryptographic libraries, not the applications that use them, can be FIPS 140-2 certified. The cryptographic libraries provided with IBM Notes® and Domino on Microsoft™ Windows™ (32-bit), and on AIX® (both 32-bit and 64-bit), are FIPS 140-2 certified (IBM Crypto for C v1.4.5 Certificate # 775).
For more information, see the Web article on cryptographic modules listed in the related topics.
AES algorithm
The Advanced Encryption Standard (AES) algorithm is available for use with some encryption features on Windows, AIX, and Linux™. The AES algorithm is widely used and is approved by Federal Information Processing Standard (FIPS) 140-2. AES is currently available for ID file encryption, mail and document encryption, single sign-on configuration using the LtpaToken2 format, and SSL cipher configuration.
Note: Although the cryptographic libraries on platforms other than Windows and AIX are not FIPS 140-2 certified, those libraries nevertheless include the FIPS 140-2 approved AES algorithm.
Secure Hash Algorithm (SHA-2)
The Secure Hash Algorithm (SHA-2) is available for use with some encryption features on Windows, AIX, and on Linux, where SHA-2 is part of the new GSKit library that supports the algorithm. SHA-2 is widely used and is approved by Federal Information Processing Standard (FIPS) 140-2, to assist in compliance with government mandate NIST 800-131. SHA-2 is currently available to use for X.509 certificate signature verification and S/MIME signed mail, and some areas of Notes/Domino where a password such as the Internet (HTTP) password was previously "hashed." For more information on hashing, see the related topic on electronic signatures.
No Domino configuration is required to make use of SHA-2. When Notes client users receive S/MIME messages encrypted using the algorithm, SHA-2 is listed in the Document Encryption and Signing Properties box that a client user can open by clicking the Signature or Encryption icon in the Notes client status bar.
Tip: It is recommended that the Domino administrator use RSA-2048 and AES-128 with SHA-2. To do so, set all client user's ID files to use 2048-bit RSA keys, and configure all Person documents with the setting Can decrypt documents using FIPS 140-2 approved algorithms in order to ensure AES-128. For more information, see the related topic on configuring AES encryption:
Transport Layer Security (TLS) protocol
Transport Layer Security (TLS) is a cryptographic protocol based on the Secure Sockets Layer (SSL) specification.
Domino has the option of running the IBM HTTP Server on the same Windows computer as a Domino HTTP server; the purpose of this enhancement is to support the Transport Layer Security (TLS) protocol.
A pass-through reverse proxy module named mod_domino is provided to forward HTTP requests to the Domino HTTP server. The pass-through reverse proxy module creates the context necessary to have the Domino HTTP server provide the HTTP request context expected by Domino Web applications, as if the Domino HTTP server were in direct contact with the browser client. Using the proxy module allows an IHS server to run "in front of" the Domino server.
For more information on installing the module that supports TLS, see the related topics.
Related concepts Electronic signatures
Related tasks Configuring encryption for ID files Configuring AES for mail and document encryption Creating a Web SSO configuration document Modifying SSL cipher restrictions
Related information Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules