Home > WebEOC > Admin Guide > Server Configuration > Configure FIPS in WebEOC 7.7+ and Fusion 2.1.0.1+

Configure FIPS in WebEOC 7.7+ and Fusion 2.1.0.1+

Table of contents

Problem

When first enabling the Federal Information Processing Standard (FIPS), an error may result on the WebEOC login page and be recorded in the Error Log. The problem occurs when and if the Windows registry subkey is set to 1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy.

In this instance, ASP.NET 2.0 uses the RijndaelManaged implementation of the AES algorithm when it processes view state data. The RijndaelManaged implementation has not been certified by the National Institute of Standards and Technology (NIST) as compliant with FIPS. Therefore, the AES algorithm is not part of the Windows Platform FIPS-validated cryptographic algorithms.

Solution

To work around this problem, you must change the configuration in the WebEOC Web.config file.

Important: Changing the configuration may increase your security risk. In addition to security risks, these steps may also make the computer or network more vulnerable to attack by malicious users or software, including viruses. Thus, it is recommended to use this process for enabling programs to operate as designed or implementing specific program capabilities.

Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process as a requirement, take any appropriate additional steps to help protect your system.

Specify that ASP.NET uses the Triple Data Encryption Standard (3DES) algorithm to process view state data. To do this, follow these steps:

  1. In a text editor such as Notepad, open the application-level Web.config file.

  2. In the Web.config file, locate the <system.web> section.

  3. In this section, add the following <machineKey> section:

    <machineKey validationKey="AutoGenerate,IsolateApps"
    decryptionKey="AutoGenerate,IsolateApps" validation="3DES"
    decryption="3DES"/>
    
  4. Save the Web.config file.

  5. Restart the Microsoft Internet Information Services (IIS) service by running the iisreset command as a command prompt.

In general, the 3DES algorithm is less secure than the AES (Rijndael) algorithm. Therefore, we recommend you use the AES algorithm whenever possible to help secure your system. Implementing this allows WebEOC to work 3DES as a FIPS-compliant algorithm.

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.