- Forum
- Support Forums
- SE Suite
- Installation
- Error with " Windows Platform FIPS validated cryptographics algorithms"
Error with " Windows Platform FIPS validated cryptographics algorithms"
6 years 2 months ago #96
by lmalonso
Error with " Windows Platform FIPS validated cryptographics algorithms" was created by lmalonso
Error message:
“This Implementation is not part of the Windows Platform FIPS validated cryptographics algorithms.”
Problem found:
Windows offers the possibility to enable or disable a policy to execute or not FIPS validated cryptographics algorithms included in the Windows Framework APIs. If set to enabled, RQS applications up to v15.1.7 will crash.
It can be enabled or disabled in the Administrative tools > Local Security Policy > Local Policies > Security Options > System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing.
Explanation found in that option:
"System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms
For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.
For Encrypting File System Service (EFS), it supports the Triple Data Encryption Standard (DES) and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. By default, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003 and Windows Vista family and DESX algorithm in Windows XP for encrypting file data. For information about EFS, see Encrypting File System.
For Remote Desktop Services, it supports only the Triple DES encryption algorithm for encrypting Remote Desktop Services network communication.
Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
For BitLocker, this policy needs to be enabled before any encryption key is generated. Recovery passwords created when this policy is enabled are incompatible with BitLocker on Windows 8, Windows Server 2012, and earlier operating systems. If this policy is applied to computers running operating systems prior to Windows 8.1 and Windows Server 2012 R2, BitLocker will prevent the creation or use of recovery passwords; recovery keys should be used for those computers instead.
Default: Disabled.
Note: The Federal Information Processing Standard (FIPS) 140 is a security implementation designed for certifying cryptographic software. FIPS 140 validated software is required by the U.S. Government and requested by other prominent institutions."
Solution:
To be solved in v15.1.8
Workaround for v15.1.7 or previous versions:
every application has a configuration file with the same name as the original one but ended in .config and its content is XML. For example, for RequirementsQualityAnalyzer.exe there’s a file RequirementsQualityAnalyzer.exe.config. Just by editing it in your installation folder (e.g.: C:\Program Files (x86)\The REUSE Company\Requirement Quality Analyzer\) and adding the line highlighted in yellow background the application works fine.
<?xml version="1.0"?>
<configuration>
<!-- configuration stuff irrelevant for this issue -->
<runtime>
<enforceFIPSPolicy enabled="false"/>
<!-- configuration stuff irrelevant for this issue -->
</runtime>
</configuration>
So I have revising all the applications of the Requirements Quality Suite and here I send you a summary of what it’s needed to do an in which file and where it’s located.
First of all the need is to include this line
<enforceFIPSPolicy enabled="false"/>
Inside the <runtime> section. But sometimes this section was not needed to be configured and it’s missing in the XML content, so there are two possible modification options to do:
“This Implementation is not part of the Windows Platform FIPS validated cryptographics algorithms.”
Problem found:
Windows offers the possibility to enable or disable a policy to execute or not FIPS validated cryptographics algorithms included in the Windows Framework APIs. If set to enabled, RQS applications up to v15.1.7 will crash.
It can be enabled or disabled in the Administrative tools > Local Security Policy > Local Policies > Security Options > System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing.
Explanation found in that option:
"System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms
For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.
For Encrypting File System Service (EFS), it supports the Triple Data Encryption Standard (DES) and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. By default, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003 and Windows Vista family and DESX algorithm in Windows XP for encrypting file data. For information about EFS, see Encrypting File System.
For Remote Desktop Services, it supports only the Triple DES encryption algorithm for encrypting Remote Desktop Services network communication.
Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
For BitLocker, this policy needs to be enabled before any encryption key is generated. Recovery passwords created when this policy is enabled are incompatible with BitLocker on Windows 8, Windows Server 2012, and earlier operating systems. If this policy is applied to computers running operating systems prior to Windows 8.1 and Windows Server 2012 R2, BitLocker will prevent the creation or use of recovery passwords; recovery keys should be used for those computers instead.
Default: Disabled.
Note: The Federal Information Processing Standard (FIPS) 140 is a security implementation designed for certifying cryptographic software. FIPS 140 validated software is required by the U.S. Government and requested by other prominent institutions."
Solution:
To be solved in v15.1.8
Workaround for v15.1.7 or previous versions:
every application has a configuration file with the same name as the original one but ended in .config and its content is XML. For example, for RequirementsQualityAnalyzer.exe there’s a file RequirementsQualityAnalyzer.exe.config. Just by editing it in your installation folder (e.g.: C:\Program Files (x86)\The REUSE Company\Requirement Quality Analyzer\) and adding the line highlighted in yellow background the application works fine.
<?xml version="1.0"?>
<configuration>
<!-- configuration stuff irrelevant for this issue -->
<runtime>
<enforceFIPSPolicy enabled="false"/>
<!-- configuration stuff irrelevant for this issue -->
</runtime>
</configuration>
So I have revising all the applications of the Requirements Quality Suite and here I send you a summary of what it’s needed to do an in which file and where it’s located.
First of all the need is to include this line
<enforceFIPSPolicy enabled="false"/>
Inside the <runtime> section. But sometimes this section was not needed to be configured and it’s missing in the XML content, so there are two possible modification options to do:
- OPTION 1: If the <runtime> section exists then you have to add the line inside, for example as the first child of its content as in the example above.
<enforceFIPSPolicy enabled="false"/>
[/li] - OPTION 2: If the <runtime> section does not exist, then it has to be added in the <configuration> section, typically is the last one in the XML but the order is not important, the important thing is that it exists an contains our fixing line, so in this case, this XML except must be added inside the <configuration> section:
<runtime>
<enforceFIPSPolicy enabled="false"/>
</runtime>
- Full RQS Server (RQS Server + Synchronizer):
Default Installation Path (if changed while installing it look it up in the installation folder selected):- C:\Program Files (x86)\The REUSE Company\Requirements Quality Suite Server\
- RequirementsQualitySuiteServer.exe.config (Option 1)
- Rqa.Licensing.Service.exe.config (Option 2)
- RequirementsQualitySuiteSynchronizer.exe.config (Option 2)
- RQS Server only:
Default Installation Path (if changed while installing it look it up in the installation folder selected):- C:\Program Files (x86)\The REUSE Company\Requirements Quality Suite Server\
- RequirementsQualitySuiteServer.exe.config (Option 1)
- Rqa.Licensing.Service.exe.config (Option 2)
- RQS Synchronizer:
Default Installation Path (if changed while installing it look it up in the installation folder selected):- C:\Program Files (x86)\The REUSE Company\Requirements Quality Suite Synchronizer\
- RequirementsQualitySuiteSynchronizer.exe.config (Option 2)
- Requirements Quality Analyzer (RQA):
Default Installation Path (if changed while installing it look it up in the installation folder selected):- C:\Program Files (x86)\The REUSE Company\Requirements Quality Analyzer\
- RequirementsQualityAnalyzer.exe.config (Option 1)
- Requirements Authoring Tool (RAT):
Default Installation Path (if changed while installing it look it up in the installation folder selected):- C:\Program Files (x86)\The REUSE Company\Requirements Authoring Tool\
- RequirementsAuthoringTool.exe.config (Option 1)
- Requirements Authoring Tool Tray (RAT Tray):
Default Installation Path (if changed while installing it look it up in the installation folder selected):- C:\Program Files (x86)\The REUSE Company\Requirements Authoring Tool Tray\
- RequirementsAuthoringToolTray.exe.config (Option 1)
- Requirements Authoring Tool plugin for PTC Integrity:
Default Installation Path (if changed while installing it look it up in the installation folder selected):- C:\Program Files (x86)\The REUSE Company\Requirements Authoring Tool Integrity plugin\
- Rqa.Authoring.Plugin.Integrity.exe.config (Option 2)
- Knowledge Manager (KM):
Default Installation Path (if changed while installing it look it up in the installation folder selected):- C:\Program Files (x86)\The REUSE Company\Knowledge Manager\
- knowledgeMANAGER.exe.config (Option 2)
Please Log in or Create an account to join the conversation.
- lmalonso
-
Topic Author
- Offline
Less
More
- Posts: 2
