FIPS compliance
Replicate is FIPS-compliant. FIPS (Federal Information Processing Standards) is a set of standards developed by the United States Federal Government for use in computer systems. FIPS 140-2 is the subset of standards which defines approved encryption algorithms used for handling sensitive information.
Prerequisites and considerations
- In order for Replicate to work in FIPS mode, the operating system on which you want to install Replicate must already be running in FIPS mode.
- Turning the machine's FIPS mode on or off after Replicate is installed is not supported. In such a case, the Replicate services will stop running and Replicate will need to be reinstalled.
Turning off FIPS mode in Replicate
With a standard installation, if the machine on which Replicate is installed is running in FIPS mode, Replicate will also be installed in FIPS mode. However, if you need to use endpoints that are not supported when Replicate is running in FIPS mode (see FIPS-compliant endpoints below), then you can turn off FIPS mode in Replicate.
Disabling Replicate FIPS mode on Linux
-
Open a bash shell and switch the working directory to <REPLICATE_INSTALL_DIR>/bin.
Information noteThe default installation directory is /opt/attunity/replicate. -
Set the system environment variable to disable Replicate FIPS mode, by running the following command:
echo "export AREP_OPENSSL_USES_FIPS=0" >> site_arep_login.sh
-
Run the following command:
repctl reset_fips
-
Restart the Replicate service with the following command:
systemctl restart areplicate
Disabling Replicate FIPS mode on Windows
-
Open the System Properties dialog and click Environment variables. Then, in the Environment Variables dialog, click New under System variables.
-
Enter AREP_OPENSSL_USES_FIPS and set its value to 0.
-
Click OK and then click OK again to close the Environment Variables dialog.
-
Open a command prompt as administrator and switch the working directory to <REPLICATE_INSTALL_DIR>\bin.
Information noteThe default installation directory is C:\Program Files\Attunity\Replicate.Then run the following command:
repctl reset_fips
-
Restart the Qlik Replicate Server service.
Turning on FIPS mode in Replicate
If at some point in the future, you want to use only FIPS-compliant Replicate endpoints, then you can turn Replicate FIPS mode back on. To do this, simply perform the procedures described in Disabling Replicate FIPS mode above, but with the following differences:
- Instead of setting the environment variable to 0, set it to 1.
- Do not run the repctl reset_fips command.
FIPS-compliant endpoints
FIPS compliance in Replicate endpoints depends on whether the database or ODBC vendor supports the FIPS cryptographic standard. As this is not always the case, only the endpoints listed in the table below are FIPS compliant.
| Endpoint | Comments |
|---|---|
| File source and target | - |
| IBM DB2 for z/OS source |
The SSL connection is FIPS compliant. To connect using SSL, set the following internal parameters in the endpoint's Advanced tab:
See also: Setting advanced connection properties |
| IBM DB2 for iSeries source |
Supported with Replicate on Windows only. The SSL connection is FIPS compliant. To connect using SSL, set the useSSL internal parameter in the endpoint's Advanced tab. See also: Setting advanced connection properties |
| IBM DB2 for LUW source |
The SSL connection is FIPS compliant. To connect using SSL, set the following internal parameters in the endpoint's Advanced tab:
See also: Setting advanced connection properties |
| Microsoft Azure ADLS target |
Supported when using Azure Data Lake Storage (ADLS) Gen1 only. See also: Setting general connection properties |
| Microsoft Azure Event Hubs target | - |
| Oracle source and target | For instructions on how to enable FIPS, see https://docs.oracle.com/cd/E28271_01/network.1111/e10746/asoappe.htm |
| Sybase ASE source | To enable FIPS, set the EnableFIPS internal parameter in the endpoint's Advanced tab to true. |