Mountain Lion: How to set up and maintain a FIPS-enabled system

Summary

Learn how to set up and maintain a FIPS-enabled OS X Mountain Lion system.

Products Affected

OS X Mountain Lion, Product Security

The OS X Mountain Lion cryptographic module requires an additional setup step to place the system into "FIPS Mode" for full compliance. The FIPS Administration Installer must be obtained and installed on the system by the System Administrator (Crypto Officer).

How to install the FIPS Administration Tools

The FIPS Administration Installer is available here.

  1. Log in as an administrator on the destination computer system where the tools will be installed.
  2. Double-click the FIPS Administration Installer package.
  3. Click Continue after reading the information on the Introduction page.
  4. Click Continue after reading the information on the Read Me page. You can also Print or Save the information on this page as needed.
  5. Click Continue after reading the Software License Agreement on the License page. You can also Print or Save the information on this page as needed.
  6. Click Agree if you agree with the terms of the software license. Otherwise click Disagree and the installer will exit.
  7. Select the OS X volume to install the FIPS Administration Tools, then click Continue on the Destination Select page. The FIPS Administration Tools should only be installed on the startup (boot) volume.
  8. Click the Install button.
  9. Enter your administrator username and password.
  10. Click Continue Installation with the understanding that the computer must be restarted once the installation is complete.
  11. Click Restart.

Power-On-Self-Test

Upon restart, your system will automatically perform the required Power–On–Self–Test (POST).

If there is any issue identified with the CoreCrypto Module, the system startup process will log the error to system.log, then stop and shut down the system.

If the CoreCrypto Module integrity has been verified, the system startup process will log the success to system.log and continue.

It is also possible for an administrator to verify the integrity of the module at anytime by executing the cc_fips_test command as root. To verify the module’s integrity, execute the following command in the Terminal application after enabling root:

/usr/libexec/cc_fips_test -v

Sample output from verified module integrity check

A fips_mode boot arg was set: fips_mode=2
About to call the FIPS_POST function in the corecrypto.dylib
FIPS USER Space POST: Integrity test success!
FIPS USER Space POST: AES GCM Test success!
FIPS USER Space POST: AES CBC Test success!
FIPS USER Space POST: AES AESNI ECB Test success!
FIPS USER Space POST: AES AESNI XTS Test success!
FIPS USER Space POST: TDES CBC Test success!
FIPS USER Space POST: SHA Test success!
FIPS USER Space POST: HMAC Test success!
FIPS USER Space POST: RSA Test success!
FIPS USER Space POST: ECDSA Test success!
FIPS USER Space POST: DRBG Test success!
FIPS USER Space POST Success!
Returned from calling the FIPS_POST function in the corecrypto.dylib: result = true 

Sample output from an unsuccessful module integrity check

A fips_mode boot arg was set: fips_mode=2
About to call the FIPS_POST function in the corecrypto.dylib
FIPS USER Space POST: Integrity test failed!
Returned from calling the FIPS_POST function in the corecrypto.dylib: result = false
FIPS_POST failed!
 

Troubleshooting

In the unlikely event, you should perform the following steps:

  1. Restart the system in Single-User Mode. See: Starting up in single-user mode.
  2. Review the system.log for clarification of issues detected. The System log file is located at: /var/log/system.log
  3. If Tool-related issues are found, re-run the installer and try again.
  4. If the integrity of the Security Module has not passed validation, reinstall OS X Mountain Lion, any available software updates, and then re-install this tool.
  5. If you are still unable to identify the issue, search Apple Support for FIPS-related information.
    Note: If you need further assistance, you can contact AppleCare for support.

 

Additional Information

OS X Lion v10.7 information

 

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.
Not helpful Somewhat helpful Helpful Very helpful Solved my problem
Ask other users about this article
in Apple Support Communities
See all questions on this article See all questions I have asked