ThingWorx Edge .NET SDK > ThingWorx Edge .NET SDK Reference > .NET SDK ClientConfigurator: Client/Server Certificate Validation > Using FIPS Mode with the .NET SDK
  
Using FIPS Mode with the .NET SDK
Your application can use an embedded FIPS-140-2-validated cryptographic module (Certificate #1747; OpenSSL FIPS module version 2.0.2) running on all supported platforms per FIPS 140-2 Implementation Guidance section G.5 guidelines. The ..NET SDK with FIPS requires the OpenSSL toolkit to be used in conjunction with the OpenSSL FIPS Object Module 2.0.2. Do not attempt to use any libraries other than the OpenSSL library used by the SDK.
If you need to use FIPS for communication, make sure that you select to download the bundle of the .NET SDK with fips in the name of the file. This version of the bundle provides an embedded FIPS-140-2-validated cryptographic module (Certificate #1747; OpenSSL FIPS module version 2.0.2) that runs on all supported platforms per FIPS 140-2 Implementation Guidance section G.5 guidelines. This version of the .NET SDK uses the OpenSSL toolkit in conjunction with the OpenSSL FIPS Object Module 2.0.2. No additional configuration is necessary to use FIPS mode.
* 
Not all hardware platforms where applications written using the .NET SDK can run support FIPS-140-2-validated cryptography. For example, on platforms based on IA32 architecture, the processor must support the SSE2 instruction set. This set is available in Intel x86 CPUs, starting with Pentium 4. The application log will have a message that FIPS-140-2-validated cryptography is enabled. If you enable it, be sure that your certificates include only FIPS approved encryption algorithms. The FIPS approved algorithms are AES, 3DES, RSA, DSA, DH, SHA1, and SHA2.
If you are using the FIPS version of the .NET SDK and the application directly communicates with a Java-based SSL/TLS server (such as the ThingWorx platform), the cipher suite list should include !kEDH (as shown below). Otherwise, ephemeral Diffie-Hellman (EDH) key exchange may fail:
<CipherSuites>DEFAULT:!kEDH</CipherSuites>
In addition, depending on the Java version, the Apache Tomcat server used by your ThingWorx Foundation instance may or may not be FIPS compliant:
Java 7 — By default, the strong encryption ciphers necessary for the FIPS mode edge client to connect are NOT enabled. To enable them, you must add the following line to the Apache Tomcat server.xml configuration file’s <Connector> tag:
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
Java 8 — By default, the strong encryption ciphers necessary for the FIPS mode edge client to connect ARE enabled. You do not need to modify the Apache Tomcat file.
By default in both Java 7 and 8, weak encryption ciphers are enabled. To disable weak encryption ciphers for running in FIPS mode, update the following two lines in the Java configuration file, java.security:
jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
With weak encryption ciphers disabled, the FIPS mode edge client will connect to the server, but the non-FIPS mode edge client will NOT connect to the server.