FIPS 140-3

Federal Information Processing Standards (FIPS) is a U.S. government computer security standard that specifies the security requirements for cryptographic modules used to protect sensitive information.

 

FIPS can be enabled for:

 

• HTTP/S service (enabled system wide)

• MFT Server Management REST API 

• FTP/S and SFTP/SCP services (enabled at the domain level)

 

MFT Server supports FIPS 140-2 and 140-3.

 

Support for FIPS 140-3 was made available in MFT Server version 2025.3. To configure FIPS 140-3 on-premises, see the instructions below. To configure FTPS 140-3 in a SaaS environment, contact Technical Support.

Configuring MFT Server for FIPS 140-3

High-level overview. Enabling FIPS requires:

 

1. Setting the appropriate MFT Server fields associated with the FIPS feature

2. Copying files from one MFT Server directory to another

3. Restarting the MFT Server service

 

Each of the above steps are described below, for each of the features that supports FIPS

 

1) Setting MFT Server fields to enable FIPS

Enabling FIPS for HTTP/S

Enabling FIPS for HTTP/S is a system-wide action. Follow the steps below.

 

Navigate to Settings > MISCELLANEOUS > Web > Web

 

Select Enable FIPS compliance.

 

Click the SSL/TLS Ciphers button. The SSL/TLS Cipher Suites dialog displays.

 

The following ciphers are supported:

 

• aes128-cbc

• aes128-ctr

• aes192-cbc

• aes192-ctr

• aes256-cbc

• aes256-ctr

• aes128-gcm@openssh.com

• aes256-gcm@openssh.com

 

When operating in FIPS mode, it is crucial to select only supported ciphers. The system does not perform a validation check to confirm the ciphers you have chosen are compliant or supported while FIPS is active.

Enabling FIPS for the MFT Server (Management) REST API

Follow the steps below to enable FIPS when accessing the REST API.

 

Navigate to Settings > MISCELLANEOUS > Web > REST

 

Select Enable FIPS compliance.

 

Click the SSL/TLS Ciphers button. The SSL/TLS Cipher Suites dialog displays.

 

The following ciphers are supported:

 

• aes128-cbc

• aes128-ctr

• aes192-cbc

• aes192-ctr

• aes256-cbc

• aes256-ctr

• aes128-gcm@openssh.com

• aes256-gcm@openssh.com

 

When operating in FIPS mode, it is crucial to select only supported ciphers. The system does not perform a validation check to confirm the ciphers you have chosen are compliant or supported while FIPS is active.

 

Enabling FIPS for FTP/S and SFTP/SCP on the Domain level

 

Navigate to [Domain] > SECURITY > Compliance > FIPS.

 

Set FIPS compliance to ON.

 

Select ciphers for FTP/S (if you are enabling FIPS for this protocol)

Navigate to [Domain] > SERVICES > Listeners > FTP/S. Click on SSL/TLS Ciphers... The SSL/TLS Cipher Suites dialog displays.

 

Ciphers supported:

 

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_256_CCM

• TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_128_CCM

• TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

• TLS_DHE_RSA_WITH_AES_256_CCM

• TLS_DHE_RSA_WITH_AES_256_CCM_8

• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_DHE_RSA_WITH_AES_128_CCM

• TLS_DHE_RSA_WITH_AES_128_CCM_8

• TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

• TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

• TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

• TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

• TLS_RSA_WITH_AES_256_GCM_SHA384

• TLS_RSA_WITH_AES_256_CBC_SHA256

• TLS_RSA_WITH_AES_256_CCM

• TLS_RSA_WITH_AES_256_CCM_8

• TLS_RSA_WITH_AES_128_CBC_SHA256

• TLS_RSA_WITH_AES_128_GCM_SHA256

• TLS_RSA_WITH_AES_128_CCM

• TLS_RSA_WITH_AES_128_CCM_8

• TLS_AES_256_GCM_SHA384

• TLS_AES_128_CCM_8_SHA256

• TLS_AES_128_CCM_SHA256

• TLS_AES_128_GCM_SHA256

Select algorithms for SFTP/SCP (if you are enabling FIPS for this protocol)

Navigate to [Domain] > SERVICES > Listeners > SFTP/SCP. Click on Algorithms... The SFTP/SCP Algorithms dialog displays.

 

Key exchanges supported:

• diffie-hellman-group14-sha256

• diffie-hellman-group15-sha512

• diffie-hellman-group16-sha512

• diffie-hellman-group17-sha512

• diffie-hellman-group18-sha512

• diffie-hellman-group-exchange-sha256

• ecdh-sha2-nistp256

• ecdh-sha2-nistp384

• ecdh-sha2-nistp521

Host/Public Keys supported:

 

• rsa-sha2-256

• rsa-sha2-512

• ecdsa-sha2-nistp256

• ecdsa-sha2-nistp384

• ecdsa-sha2-nistp521

 

Ciphers supported:

 

• aes128-cbc

• aes128-ctr

• aes192-cbc

• aes192-ctr

• aes256-cbc

• aes256-ctr

• aes128-gcm@openssh.com

• aes256-gcm@openssh.com

 

MACs supported:

 

• mac-sha2-256

• hmac-sha2-512

• hmac-sha2-256-etm@openssh.com

• hmac-sha2-512-etm@openssh.com

 

Compressions supported:

 

• none

When operating in FIPS mode, It is crucial to select only supported algorithms. The system does not perform a validation check to confirm the algorithms you have chosen are compliant or supported while FIPS is active.

2) Copy Files from fips/2.0 directory to libs directory

1. Go to the <MFT Server installation>/libs directory. Copy or move all the jar files that start with bc (Bouncy Castle libraries - bc*) to a backup directory of your choosing. This is in case they are needed in the future.

    

2. Go to the <MFT Server installation>/fips/2.0 directory. Copy all the jar files in this directory to the <MFT Server installation>/libs directory.

 

 

 

3) Restart the MFT Server service.