Enable FIPS
The XP service roles, including xConnect, do not support this feature.
If you enable the Use FIPS compliant algorithms for encryption, hashing, and signing security policy option in Windows, you must enable the correct cryptographic classes for Sitecore.
This topic describes how to:
Enable Sitecore FIPS support
To enable the Sitecore FIPS support:
-
Go to the
/Website/bin
folder of your Sitecore instance. -
Right-click the
Sitecore.Kernel.dll
file and then click Properties. -
On the Details tab, note the value of the File version property:
-
Open the
machine.config
file. This file is in different folders on 32- and on 64-bit systems:-
On a 32-bit system, it is in the
%windir%\Microsoft.NET\Framework\<DotNetVersion>\Config\machine.config
folder. -
On a 64-bit system, it is in the
%windir%\Microsoft.NET\Framework64\<DotNetVersion>\Config\machine.config
folder.
-
-
Add the following node to the file:
RequestResponse<configuration> <!-- Other configuration settings --> <mscorlib> <cryptographySettings> <cryptoNameMapping> <cryptoClasses> <cryptoClass AESPROXY="Sitecore.SecurityModel.Cryptography.AesCryptoServiceProviderProxy, Sitecore.Kernel, Version=XX.X.X.XXXX, Culture=neutral"/> </cryptoClasses> <nameEntry name="Rijndael" class="AESPROXY"/> <nameEntry name="System.Security.Cryptography.Rijndael" class="AESPROXY"/> <nameEntry name="System.Security.Cryptography.RijndaelManaged" class="AESPROXY"/> <nameEntry name="AesManaged" class="AESPROXY"/> <nameEntry name="System.Security.Cryptography.AesManaged" class="AESPROXY"/> </cryptoNameMapping> </cryptographySettings> </mscorlib> </configuration>
Use the file version value you noted in step 3 as the value of
Sitecore.Kernel.Version
(marked as XX.X.X.XXXX). -
Optionally, reset the Internet Information services.
Add encryption for FIPS in a WebApp
You cannot reliably adjust a WebApp at the machine level within the WebApp itself. However, if you want to scale up, or have a CD server in another location, you can use the following example to enable the same standard keys, as they all require the same encryption.
protected void Application_Start()
{
/* ... */
var mkType = typeof(MachineKeySection);
var mkSection = ConfigurationManager.GetSection("system.web/machineKey") as MachineKeySection;
var rwMethod = mkType.GetMethod("Reset", BindingFlags.NonPublic | BindingFlags.Instance);
var newConfig = new MachineKeySection();
newConfig.ApplicationName = mkSection.ApplicationName;
newConfig.CompatibilityMode = mkSection.CompatibilityMode;
newConfig.DataProtectorType = mkSection.DataProtectorType;
newConfig.Validation = mkSection.Validation;
newConfig.ValidationKey = "XXXXXXXXXX";
newConfig.DecryptionKey = "XXXXXXXXXX";
newConfig.Decryption = "AES";
newConfig.ValidationAlgorithm = "SHA1";
rwMethod.Invoke(mkSection, new object[] { newConfig });
/* ... */
}