FIPS Compliant Mode

The Federal Information Processing Standard (FIPS) is a United States and Canadian government standard that is intended to ensure secure data communications among compliant systems. FIPS 140-2 specifies the Security Requirements for Cryptographic Modules, including the approved encryption algorithms and hashing algorithms and the methods for generation and management of encryption keys. To qualify as FIPS compliant, Archer must be configured and operated in accordance with FIPS 140-2 requirements, using FIPS-certified components and algorithms in all required instances.

On this page

Platform Release Supporting FIPS

FIPS-Compliant Operation Requirements

You can configure FIPS compliance on any Windows system that supports Archer.

Note: This requirement applies to all Archer components.

You must configure web browsers for FIPS operation.

FIPS Certificates

Cryptographic modules that are FIPS 140-2 certified have undergone testing and verification by a government-approved evaluation laboratory. You can obtain the required FIPS certificates from the National Institute of Standards and Technology (NIST) website at:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm

For a list of certificates applicable to Archer, see Platform FIPS Certification.

Set Up FIPS for Windows

Use the Local Security Policy tool to perform the FIPS setup for Microsoft Windows.

Procedure

Log on to Windows as a Windows system administrator.
Click Start > Control Panel.
In the Control Panel window, click Administrative Tools.
In the Administrative Tools window, click Local Security Policy.
In the Local Security Policy window, in the navigation pane, click Local Policies > Security Options.
In the Policy pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
On the Local Security Setting tab, click Enabled.
Click Apply.
Click OK.
Close the Local Security Policy window.

SQL Server FIPS Setup

All versions of SQL Server that support Archer are configurable for FIPS compliance. For instructions on setting up FIPS on SQL Server, see the Microsoft SQL Server documentation.

Note: SQL Server 2017, SQL Server 2017 on Linux (Ubuntu), or SQL Server 2019 must be installed on a Windows Server 2016 or 2019-based server. The Windows server must be FIPS enabled prior to starting SQL Server.

For dialog security between services, the encryption uses the FIPS-certified instance of AES if the FIPS mode is enabled. If the FIPS mode is disabled, the encryption uses RC4. When a Service Broker endpoint in the FIPS mode is configured, the administrator must specify AES for the Service Broker. If the endpoint is configured to RC4, the SQL Server generates an error, and the transport layer does not start.

Messages in 2 logs verify that the SQL Server is running in FIPS mode:

When the SQL Server service detects that FIPS mode is enabled at start up, it logs this message in the SQL Server error log:
Service Broker transport is running in FIPS compliance mode.
This message is logged in the Windows Event log:
Database Mirroring transport is running in FIPS compliance mode.

Configure Browser for FIPS Compliance

In addition to FIPS enablement on the host system, you must configure any web browser used to connect to the Archer for FIPS compliance. For more information, see Set up FIPS for Windows

When using supported versions of Microsoft Internet Explorer with the Platform in FIPS mode, enable TLS 1.2 or higher in the browser. For more information, see Qualified and Supported Environments.

Open Internet Explorer.
Click Tools, and then click Internet Options.
On the Advanced tools tab:
1. Verify that both Use TLS 1.0 and Use TLS 1.1 options are cleared.
2. Select Use TLS 1.2.
Verify that both Use SSL 2.0 and Use SSL 3.0 options are cleared.

LDAP Configuration for FIPS Mode

Note: Archer assumes that you use Microsoft Active Directory as the LDAP server. For other types of LDAP servers, see their product-specific documentation.

Connections to Active Directory from Archer can be unencrypted or encrypted. If you intend to encrypt connections, you must configure Active Directory with a server certificate. You can achieve this with a server certificate on the Windows server, which installs the server certificate, using auto enrollment on Active Directory.

To configure Active Directory in FIPS mode, the Windows server hosting Active Directory must be FIPS enabled.

Platform FIPS Certification

The following tables list the FIPS certificates for the cryptographic components that Archer uses.

Secure Hash Algorithm (SHA) Standard (FIPS 180-4)

Algorithm	Operating System	Certificate Number
SHS	Windows Server 2016	#3347
	Windows Server 2019	#C211

Advanced Encryption Standard (AES) Algorithm (FIPS 197)

Algorithm	Operating System	Certificate Number
AES	Windows Server 2016	#4064
	Windows Server 2019	#C211

ADDRESS	ABOUT ARCHER	CUSTOMERS
13200 Metcalf Ave	Events	Archer Academy
Suite 300	Resources	Archer Exchange
Overland Park, KS 66213	Services	Support
	About Us	Archer Community