.. _reference-system-FIPS:

Federal Information Processing Standards (FIPS)
------------------------------------------------

.. index:: system;system fips
.. index:: system;system reboot

.. _19.3.4-PB2|EKB-8494:

An administrator can check and enable the system for 
adherence to Federal Information Processing Standards
(FIPS).

To check the system FIPS status, use **system fips**.

If FIPS is not enabled, the command output look as
follows:

::

   platform@nicnode1:~$ system fips
   FIPS mode is disabled


To enable FIPS on the system, use **system fips enable**.

.. important::
 
   The use of FIPS on the system requires a subscription to the Ubuntu Advantage
   service package from Canonical in order to obtain the necessary cryptographic modules.

   Internet access will be required from your system to the necessary Ubuntu Advantage
   service package URLs.

   You will prompted to:
   
   * input the base and update system URLs as given for the program
   * indicate if you wish to use a proxy and to provide its URL

   Contact your VOSS account manager or VOSS support for detailed information on using
   the Ubuntu Advantage service package in the system.


Console output will be similar to the example below:

::

   platform@nic-fips-un1:~$ system fips enable
   Please enter the URL as given by Canonical for the base Ubuntu Advantage program
   eg. deb https://<user>:<password>@private-ppa.launchpad.net/ubuntu-advantage/fips/ubuntu <ubuntu version> main

   URL: <URL>

   Please enter the URL as given by Canonical for the Ubuntu Advantage update program
   eg. deb https://<user>:<password>@private-ppa.launchpad.net/ubuntu-advantage/fips-updates/ubuntu <ubuntu version> main

   URL: <URL>

   Do you want to use an apt proxy? y

   What is the proxy URL?
   <URL>

   Installing required packages



If FIPS is enabled, the **system fips** command output is:

::

   platform@nic-fips-un1:~$ system fips
   FIPS mode is enabled


It is important to note:

* After running **system fips enable**, run **system reboot**
  to apply the FIPS enable changes.
* If fips mode is to be enabled on a cluster, it should be
  enabled on all nodes.
* *If FIPS is enabled on a system, it cannot be disabled.*
* All system passwords are stored using FIPS 140-2 complaint
  encryption algorithms, when FIPS mode is enabled or not.
* If FIPS is enabled on a system, all install scripts and
  templates are encrypted and decrypted using FIPS 140-2
  complaint encryption algorithms.