When FIPS mode is enabled on your eDirectory server, all applications and modules running inside eDirectory using OpenSSL will always use OpenSSL in the FIPS mode. For example, LDAP, HTTP, and all cryptographic operations in EBA. Operating eDirectory in FIPS mode does not allow communication over SSLv3 and restricts the cipher usage to high strength ciphers. For more information, see Configuring LDAP Objects and Configuring HTTP Server Object in the NetIQ eDirectory Administration Guide.
All eDirectory 9.1 servers run in FIPS mode for OpenSSL by default on both Linux and Windows platforms. eDirectory provides switches to configure the FIPS mode to suit your requirement.
To enable the FIPS mode for OpenSSL:
Windows: By default, FIPS mode is enabled in your eDirectory environment, all eDirectory applications/modules using OpenSSL will always use OpenSSL in FIPS mode. Operating eDirectory in FIPS mode does not allow communication over SSLv3 and restricts the cipher usage to high strength ciphers. For more information, see Configuring LDAP Objects and Configuring HTTP Server Object in the NetIQ eDirectory Administration Guide.
Linux: You do not need to perform any additional configuration to run eDirectory in the FIPS mode on Linux. The FIPS mode is turned on by default with eDirectory installation.
To disable the FIPS mode for OpenSSL:
Windows: Navigate to the HKLM\SOFTWARE\Novell\NDS\FipsMode registry value and set FipsMode to 0.
Linux: Pass n4u.server.fips_tls=0 with ndsconfig set command and restart the server.
For example, ndsconfig set n4u.server.fips_tls=0.