In this section:
The SBC supports FIPS 140-3 mode. OpenSSL3 provides EVP_KDF APIs used to perform KDF KAT self tests. For the SBC to be FIPS compliant, the KDF KATs are performed during FIPS Power-On Self Tests (POST). OpenSSL3 inherently performs the KATs for all the available algorithms during module load and can also perform them on demand. In the SBC 12.0, the fipsPost application loads the OpenSSL 3 FIPS provider and performs self tests for all algorithms. The KAT self tests for all the available algorithms are performed including DH, SSH KDF and TLS KDF, and proper logs are generated for confirmation.
All occurrences of the FIPS-140-2 in the source code, including user visible occurrences, are refactored to the FIPS-140-3 while maintaining existing FIPS functionality. The SBC supports upgrading with FIPS-140-2 mode enabled. The new FIPS-140-3 mode stays enabled after upgrade.
In the CLI to enable FIPS mode, the parameter fips-140-2 is changed to fips-140-3. Refer to, FIPS-140-3 - CLI, for details.
In the SBC EMA screen, under All > System > Admin screen, in the option to enable FIPS mode, the parameter Fips-140-2 is changed to Fips-140-3.
In the SBC EMA screen, under Users and Applications Management, in the option to enable FIPS mode, the parameter Fips-140-2 is changed to Fips-140-3. For details refer to, System - Admin - Fips-140-3 and Users and Application Management - Fips-140-3.