Skip to main content

Access Server FIPS Compliance

Abstract

How to run your corporate VPN, Access Server ,so it's FIPS compliant.

FIPS and Access Server

Federal Information Processing Standard (FIPS) 140-2 specifies the security requirements for cryptographic modules that protect sensitive information. You can install Access Server on various operating systems that the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) has assessed their cryptographic OpenSSL library.

Access Server uses the cryptographic module which implements the cryptographic primitives of the OpenSSL library provided in the operating system. With default settings, OpenVPN Access Server works within the restrictions that FIPS imposes. With FIPS mode enabled in the operating system, unauthorized cryptographic functions are not being allowed for use in OpenSSL and thus OpenVPN Access Server. This also means that certain optional Access Server features such as ChaCha20-Poly1305 data encryption support are not available when operating in a FIPS environment. Access Server is therefore compliant with FIPS restrictions.

Operating system recommendation

Usually, we recommend Ubuntu LTS because it has a good balance between lifecycle support and reasonably up-to-date software. However, if you require FIPS, we recommend using the Red Hat Enterprise Linux operating system instead, preferably with FIPS mode enabled at installation time.

How to enable FIPS mode

Running Access Server in FIPS mode requires enabling this mode in the operating system. The method varies per operating system. We reference external official documentation explaining how to enable it on the particular operating system:

Notes

We tested the operating systems listed above with Access Server in FIPS mode. While you might configure other operating systems to run in FIPS mode, we haven’t explicitly tested them with Access Server.

Ubuntu LTS is supported but requires either the Ubuntu Pro version or the Ubuntu Advantage service in order to install the software necessary to support FIPS mode. On some IaaS providers, you can find a specialized deployment image.

The warning gpg: out of core handler ignored in FIPS mode may be shown during installation. When the PGP key for verifying signatures of packages from the Access Server software repository is added, GPG may complain with this message as it cycles through existing keys that may not meet FIPS requirements. However, the new key for the Access Server repository will install correctly, and the installation can proceed normally.

The warning UserWarning: OpenSSL FIPS mode is enabled. Can't enable DRBG fork safety. may be shown during installation or when setting a local account password on the command line. This warning can appear on Red Hat 7, and Amazon Linux 2. This is a benign warning, and the program will function correctly despite this warning. Access Server 2.14 and newer no longer support Amazon Linux 2.