FIPS mode in XenMobile 10 supports US federal government customers by configuring the server to utilize only FIPS 140-2 certified libraries for all encryption operations. Installing your XenMobile 10 server with FIPS mode ensures that all data at rest and data in transit for both the XenMobile client and server are fully compliant with FIPS 140-2.
For those not familiar with FIPS 140-2, it is a US federal government regulation that specifies security requirements for cryptographic modules. US federal agencies are required to utilize FIPS 140-2 certified encryption modules in products like XenMobile that employ encryption. Therefore, it is highly recommended that US federal customers enable FIPS mode when installing XenMobile. However, other non-federal customers may also want to utilize FIPS mode to maximize the security of their installation.
Before installing a XenMobile Server in FIPS mode, there are a few prerequisites that you’ll need to complete.
- To configure the XMS for FIPS mode, you must use an external SQL Server 2012 or 2014 for the XM database. The SQL Server also must be configured for secure SSL communication. Instructions for configuring secure SSL communication to SQL Server can be found in the SQL Server Books Online.
- Secure SSL communication requires that an SSL certificate be installed on your SQL Server. The SSL certificate can either be a public certificate from a commercial CA or a self-signed certificate from an internal CA. It’s important to note that SQL Server 2014 cannot accept a wildcard certificate, thus it is recommended that you request an SSL certificate with the FQDN of the SQL Server.
- If you use a self-signed certificate for SQL Server, you will need a copy of the root CA certificate that issued your self-signed certificate. The root CA certificate must be imported to your XMS during installation.
Configuring FIPS Mode
FIPS mode can only be enabled during the XMS first time use (FTU) setup. It is not possible to enable FIPS post-installation. Therefore, if you ever plan on using FIPS mode, you must install your XMS with FIPS mode from the start. If you have an XMS cluster, all cluster nodes must have FIPS enabled — i.e. you can’t have a mix of FIPS and non-FIPS XMS in the same cluster.
You may have noticed that there is a “Toggle FIPS mode” option in the XMS command line interface. Don’t use it! This option is purely for non-production, diagnostic use and is not supported on a production XMS.
These are the steps to enable FIPS mode:
1. During FTU setup, you’ll be prompted to enable FIPS mode:
2. Next you will be prompted to upload the root CA certificate for your SQL Server. If you used a self-signed SSL certificate rather than a public certificate on your SQL Server, choose “Yes” for this option, then either copy/paste the CA certificate or import it. To import the CA certificate, it must be posted to a website accessible from the XMS via an HTTP URL.
3. You then will be prompted to specify the server name and port of your SQL Server, your credentials for logging into SQL Server, and the database name to create for XenMobile. Note that you can use either a SQL login or an AD account to access SQL Server, but whichever you use must have the DBcreator role.
To use an AD account, enter it in the format “domain\username”.
Once these steps are complete, proceed with the FTU setup as per usual.
Confirming FIPS Mode
To confirm that the configuration of FIPS mode was successful, simply log in to the XMS command line interface, and you’ll see “In FIPS Compliant Mode” in the login banner.