Index | Prev | Next

FIPS mode in a station

FIPS 140-2 running in a station (Supervisor or remote controller station) uses the JCA (Java Cryptography Architecture), which allows the software to request cryptographic algorithms without relying directly on a specific security provider. Instead, requests for specific algorithms go through an ordered list of installed providers, selecting the first provider with an implementation for the algorithm. You may install additional security providers as needed, as well as remove unneeded providers.

The JCA processes all requests for cryptographic algorithms. Stations running without FIPS 140-2 provide all the Sun (Oracle) built-in providers as well as the standard BouncyCastle provider. The software selects cryptographic algorithms from any of these providers.

FIPS mode removes most Sun cryptographic providers and services. Instead, it uses the FIPS-certified BouncyCastle modules. Since all cryptographic algorithm requests through the JCA are restricted to installed providers, only FIPS-compliant algorithms are used.

 NOTE: To upgrade legacy (pre- AX-3.8) stations, and because of certain required Java core functions, a small number of non-FIPS approved algorithms are still available. Although these algorithms are accessible through JCA calls, their use is not allowed in a FIPS 140-2 environment. They are allowed only during the process of upgrading legacy systems. 

Related Links

  • FIPS 140-2 requirements (Parent Topic)

    • Index | Prev | Next