How to set up and maintain a FIPS-enabled OS X Lion system
Learn how to set up and maintain a FIPS-enabled OS X Lion system.
The FIPS validated CDSA/CSP cryptographic module that ships with OS X Lion requires an additional setup step to place the system into “FIPS Mode” for full compliance. The FIPS Administration Installer must be obtained and installed on the system by the system administrator (Crypto Officer).
Important: Before performing any OS X Lion updates, such as via Software Update, you should disable “FIPS Mode”. Otherwise, the computer may not start up successfully after the restart. After performing the software update, the Crypto Officer will need to re-enable “FIPS-Mode” following the instructions in the Crypto Officer Role Guide.
How to install the FIPS Administration Tools
The FIPS Administration Installer is available here. For complete instructions about FIPS Administration Installation and management, refer to the FIPS Administration Tools Crypto Officer Role Guide.
- Log in as an administrator on the computer where the tools will be installed.
- Double-click the FIPS Administration Installer package.
- Click Continue after reading the information on the Introduction page.
- Click Continue after reading the information on the Read Me page. You can also print or save the information on this page as needed.
- Click Continue after reading the Software License Agreement on the License page. You can also print or save the information on this page as needed.
- Click Agree if you agree with the terms of the software license. Otherwise, click Disagree and the installer will exit.
- Select the Mac OS X volume to install the FIPS Administration Tools, then click Continue on the Destination Select page. Note: The FIPS Administration Tools should only be installed on the startup (boot) volume.
- Click the Install button.
- Enter your administrator username and password.
- Click Continue Installation. Note: The computer must be restarted once the installation is complete.
- After installation, click Restart.
To verify that the FIPS Administration Tools were installed successfully
The FIPS Administration Tools installation can be verified by ensuring the system is in “FIPS Mode”.
Verify the system is in FIPS Mode by executing the following in a Terminal window:
The result should be:
[FIPSPerformSelfTest][ModeStatus] FIPS Mode Status : ENABLED
There are two other places where you can manually verify that the FIPS Administration Tools were successfully installed:
- The first place to verify is in /System/Library/LaunchDaemons/
for the file named:
- The second place to verify is in the
folder that is created during the installation. The Tools installed in that folder are:
- FIPSPerformSelfTest – (Power-On-Self-Test Tool)
- CryptoKAT – (CRYPTO Algorithm Known Answer Test Tool)
- postsig – (DSA/ECDSA Signature Test Tool)
- /usr/sbin/fips folder that is created during the installation. The Tools installed in that folder are:
To verify that FIPS Mode has been disabled before performing a software update
Note: Please reference the FIPS Administration Tools Crypto Officer Role Guide for information about how to disable FIPS before performing any software updates.
Verify FIPS Mode has been disabled on the system by executing the following in a Terminal window:
The result should be:
[FIPSPerformSelfTest][ModeStatus] FIPS Mode Status : DISABLED
About the FIPS 140-2 Validated Cryptographic Module in OS X Lion
OS X Lion security services are now built on a newer "Next Generation Cryptography" platform and have transitioned from the CDSA/CSP module previously validated on Mac OS X v10.6. However, Apple has re-validated the same CDSA/CSP module under OS X Lion to provide continued validation solely for third-party applications.
The Common Data Security Architecture (CDSA) is a set of layered security services in which the AppleCSP (Apple Cryptographic Service Provider) provides the cryptography for any third-party software products still using CDSA.
For purposes of the FIPS 140-2 validation process, the AppleCSP and related components are collectively referred to as “Apple FIPS Cryptographic Module (Software Version: 1.1)”. This module has received FIPS 140-2 Level 1 Conformance Validation certificate #1701, and is posted to the CMVP webpage listing “Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules".
Background on NIST/CSEC CMVP and FIPS 140-2
The National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2 and other cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment Canada (CSEC).
The main website for the NIST/CSEC CMVP is hosted by NIST, and contains complete details on the program, all the related standards and documents, as well as the official lists of FIPS 140-1 and FIPS 140-2 validated cryptographic modules.
FIPS 140-2 refers specifically to the security requirements for cryptographic modules. The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. A complete description of each level can be found within the FIPS 140-2 publication found on the NIST website (FIPS PUB 140-2).
Cryptographic Modules validated as conforming to FIPS 140-2 are accepted by the Federal Agencies of both countries for the protection of sensitive information.