MID Server FIPS Enforced Mode
- UpdatedJul 31, 2025
- 3 minutes to read
- Zurich
- MID Server
The MID Server supports the National Security Cloud (NSC) IL-5 environment, which requires all utilized cryptography to be FIPS validated. The MID server can be run in FIPS Enforced Mode, where only cryptographic algorithms which are FIPS validated are utilized.
 |
The Federal Information Processing Standards are a group of standards compiled by the National Institute of Standards and Technology for use in computer systems. There are many FIPS publications, but for the sake of this discussion we are specifically referring to FIPS 140-2: Security Requirements for Cryptographic Modules. Cryptographic algorithms can proceed through a validation process specified by the NIST. For the purposes of our new secure cloud environment, the MID server will be utilizing algorithms that have been validated by such process.
Only MID Servers of the Rome release family or later with a JRE version of 11.0.9+11 or later can be set to run in FIPS Enforced Mode.
FIPS Enforced Mode
The following algorithms are not available for use in these SSH functions by the MID Server in FIPS Enforced Mode.
- Key Exchange:
- diffie-hellman-group1-sha1
- Mac:
- hmac-md5
- hmac-md5-96
The following restrictions are now in place for SNMP for use by the MID Server in FIPS Enforced Mode.
- SNMP v1 and v2 are completely disabled.
- For SNMP v3, the following protocol uses are not permitted by the MID Server in FIPS
Enforced Mode:
- auth protocol: none or MD5
- privacy protocol: none or DES
Other functionality that utilizes the MID Server may be impacted when run in FIPS Enforced Mode. Please refer to that functionality's specific documentation for details.
Enable MID Server FIPS Enforced Mode
The MID server can be run in FIPS Enforced Mode, where only cryptographic algorithms which are FIPS validated are utilized.
Before you begin
Role required: admin
Procedure
What to do next
The mode the MID is running in can be confirmed via two methods:
- Check the agent logs after start-up and look for the following log line:
Running in FIPS Enforced mode - Check the ecc_agent table on the instance and look for the value of the FIPS Enforced boolean column.
Manually convert the MID Server to FIPS Enforced Mode
The MID server can be run in FIPS Enforced Mode, where only cryptographic algorithms that are FIPS-validated are utilized.
Before you begin
Role required: admin
About this task
Convert the JRE’s TrustStore to BCFKS type.
Set the JRE’s default KeyStore type to be BCFKS.
Set the FIPS Enforced Mode flag in the MID Server's configuration file.
Procedure
Related Content
- MID Server certificate check policies
MID Server uses three kinds of security checks to secure external traffic. The security checks use TLS/SSL certificate validation, hostname validation, and OCSP validation to improve security. Control these security checks with the MID Server certificate check policies table.
- Encrypt or decrypt MID Server configuration file values
The value of any MID Server parameter in the config.xml file can be encrypted. The attributes for all encrypted values are managed from within the configuration file, including the security attribute of the login password.
- MID Server configuration file security
Sensitive MID Server configuration data can be protected using several different schemes, including internal and external data encryption and external data storage.
- MID Server authentication credentials and SOAP requests
Set basic authentication credentials to update the web service invocation data. For added security, you can enforce basic authentication on each incoming SOAP request to the MID Server.
- MID Server unified key store
The MID Server unified key store allows all products on the MID Server to use common certificates and key pairs. This feature allows applications to use the same secure communication channel to the MID Server that the MID Server uses to connect to the instance.
- Enable MID Server mutual authentication
Configure the MID Server to use a client certificate for authenticating to the instance. This avoids the need to create a basic authentication credentials in the Key Store for the MID Server's configuration.
- MID Server Azure Key Vault integration
The MID Server integration with the Azure Key vault enables Orchestration, Discovery, and Service Mapping to run without storing any credentials on the instance.
- MID Server command audit log
The command audit log records the commands run by the MID Server for the Discovery application. Review the commands to check for anomalies or errors.
- Rekey a MID Server
Rekey a MID Server to generate a new private key. Private keys are used to decrypt automation credentials, so that MID Servers can transmit information securely. Key pairs are initially generated when a MID Server is validated, and MID Servers should be rekeyed periodically to meet security requirements.
- Add SSL certificates for the MID Server
Configure the MID Server to connect to a source over SSL.
- MID Server SSH cryptographic algorithms
The MID Server utilizes SSH clients to perform many discovery actions. During the SSH handshake, both the client and server first determine which algorithms both parties support, then client picks the highest priority algorithm. For the Host Key Algorithm, the client picks highest priority algorithm which both parties support that matches the key type.
- Attach a script file to a file synchronized MID Server
You can attach a script file to synchronize to a connected MID Server. Windows Internet Explorer enhanced security blocks downloaded files that it determines are potentially dangerous. However synchronizing the files avoids this security problem.
- MID Server Governance
Improve MID Server security by setting an automatic timeout to invalidate and shut down inactive MID Servers. You can enable this feature and set the inactivity timeout period globally and for each MID Server.