ThingWorx Edge C SDK > Using SSL/TLS for Security > FIPS Mode
Your application can use an embedded FIPS-140-2-validated cryptographic module (Certificate #1747; OpenSSL FIPS module version 2.0.2) running on all supported platforms per FIPS 140-2 Implementation Guidance section G.5 guidelines. The C SDK with FIPS requires the OpenSSL toolkit to be used in conjunction with the OpenSSL FIPS Object Module 2.0.2. Do not attempt to use any libraries other than the OpenSSL library provided with the C SDK. The current version of OpenSSL in the FIPS distribution bundle is 1.0.2l.
Not all hardware platforms where applications written using the C SDK can support FIPS-140-2-validated cryptography. For example, on platforms based on IA32 architecture, the processor must support the SSE2 instruction set. The SSE2 instruction set is available in Intel x86 CPUs, starting with Pentium 4. The application log will have a message that FIPS-140-2-validated cryptography is enabled. If you enable it, be sure that your certificates include only FIPS approved encryption algorithms. The FIPS approved algorithms are AES, Triple-DES, RSA, DSA, DH, SHA1, and SHA2.
If the FIPS module is enabled and the application directly communicates with a Java-based SSL/TLS server (such as ThingWorx platform), the cipher suite list should include !kEDH (as shown below). Otherwise, ephemeral Diffie-Hellman (EDH) key exchange may fail:
In addition, depending on the Java version, the Apache Tomcat server used by your ThingWorx platform may or may not be FIPS compliant:
Java 7 — By default, the strong encryption ciphers necessary for the FIPS mode edge client to connect are NOT enabled. To enable them, you must add the following line to the Apache Tomcat server.xml configuration file’s <Connector> tag:
Java 8 — By default, the strong encryption ciphers necessary for the FIPS mode edge client to connect ARE enabled. You do not need to modify the Apache Tomcat file.
By default in both Java 7 and Java 8, weak encryption ciphers are enabled. To disable weak encryption ciphers for running in FIPS mode, update the following two lines in the Java configuration file,
jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
With weak encryption ciphers disabled, the FIPS mode edge client will connect to the server, but the non-FIPSmode edge client will NOT connect to the server.
For information about building your edge client with FIPS mode, see the section on building with FIPS mode enabled in the topic, How to Build with FIPS Mode Enabled.