voged01

Tech Tip:  PAM and FIPS

Discussion created by voged01 Employee on Mar 21, 2018

An optional feature of PAM is FIPS mode.  With PAM's FIPS mode enabled the Cryptographic Provider is CA Technologies C-Security Kernel, which is FIPS 140-2 validated (CMVP certificate #3043).  Your PAM instance must be deployed with FIPS mode.  This means that you must use a FIPS capable AMI or ova, to deploy in those environments.  You will have to download the FIPS capable ova from the support portal or have a FIPS capable AMI assigned to your AWS account in the desired region.  A physical appliance must be shipped with a FIPS capable image burned on it's primary SSD.

 

You can tell if PAM is FIPS capable by going to the Config --> Power page.  On a non-FIPS instance you will see only 2 buttons on this page, Start Instance and Reboot Instance.  On a FIPS instance you will see a third button.  It will change from Activate FIPS Mode to Deactivate FIPS Mode, depending on if FIPS is enabled or not.

 

If you need FIPS and your instance is not FIPS capable you will have to redeploy your PAM instance with the correct ova or AMI, or get a FIPS capable appliance, possibly via RMA.  This also means you must have purchased FIPS.

Outcomes