Question & Answer
Question
The FIPS processing mode cannot be enabled using the version of GSKit 8 bundled with GA version of ITDS 6.3.
Cause
FIPS support/certification was not available in GSKit v8.0.13.1 that was shipped with ITDS 6.3.
Answer
When attempting to enable ibm-slapdSslFipsProcessingMode on ITDS 6.3, the following errors may occur when clients attempt to connect to the server over SSL:
GLPSSL009E An incorrect value of /path/to/the/kdb/file was given for the SSL cipher specification.
An addition, an error like the following will show up in the server trace:
009:17:50:18 T1134971200 SSLGSKIT::secureSocOpen: open a secure connection
009:17:50:18 T1134971200 SSLGSKIT::setSocAttributeBuffer: set user data in the GSKit socket handle.
009:17:50:18 T1134971200 SSLGSKIT::enableTLSCiphers: enable TLS ciphers for GSKit socket handle
009:17:50:18 T1134971200 SSLGSKIT::enableV3Ciphers: turn on SSL V3 ciphers for GSKit socket handle
009:17:50:18 T1134971200 Error - SSLGSKIT::secureSocInit(): initializing secure socket
009:17:50:18 T1134971200 gsk_secure_soc_init failed, system errno=22 Invalid argument
009:17:50:18 T1134971200 gsk_secure_soc_init failed, GSK_ERROR_BAD_V3_CIPHER: rc=422
Upgrade GSKit to 8.0.14.14 or later and ibm-slapdSslFipsProcessingMode can then be enabled. GSKit 8.x can be downloaded from this link from Fix Central.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21578181