activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mickhayes <mickha...@gmail.com>
Subject Re: FIPS 140-2
Date Thu, 21 Jun 2012 14:10:37 GMT
I came across this FIPS topic on introduction of Mozilla NSS in our
organisation (we have a fairly detailed procedure when new FOSS software is
introduced.)

To answer the question, ActiveMQ isn't on the published lists, so the answer
is no -a product is not compliant until it has been certified as such. 
Once a module is validated, then it's on the validated lists:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm


However, I would question whether ActiveMQ needs to be - perhaps a "FIPS
mode" would suffice.

Consider NSS. Now it's validated - FIPS 140-2 compliant. So Firefox has a
FIPS mode. Once you have a password for your "encryption device" you can
turn on FIPS mode.

ActiveMQ - like Firefox -doesn't itself own or develop any cryptographic
modules.
At a simple level, for encrypted passwords, the Apache V2-licensed jasypt
library is used http://www.jasypt.org
Jasypt relies on JCE. 

You can see on csrc.nist.gov which JCE modules have been validated as
compliant. 

Note the concept of "FIPS mode" - explained well here:
https://developer.mozilla.org/en/NSS/FIPS_Mode_-_an_explanation





-----
Michael Hayes B.Sc. (NUI), M.Sc. (DCU), SCSA SCNA 

--
View this message in context: http://activemq.2283324.n4.nabble.com/FIPS-140-2-tp4653345p4653436.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Mime
View raw message