Skip to Content
Author's profile photo Annette Fuchs

FIPS 140-2 certification for SAP’s crypto kernel

As I already indicated in an earlier blog, SAP is working on a FIPS certification for the crypto kernel of the Secure Login Library component of our SAP NetWeaver Single Sign-On solution. The certification process is well under way, and soon we will conduct the final tests together with our evaluation lab. If you are looking for more information on FIPS 140-2 and what we are going to certify, check my latest article in the SAP Insider Magazine at  https://scn.sap.com/docs/DOC-34916. Have fun reading!

SAP received FIPS 140-2 certificate for the crypto kernel of the Secure Login Library!

Assigned tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Dirk Van Wie
      Dirk Van Wie

      Annette, what is the current status  on FIPS 140-2?  The blogs are stale.  The assumption was that certification would be completed by September 2013.  That was almost a year ago.  Should we move to Secude and stop paying maintenance fees on Netweaver SSO?

      Author's profile photo Former Member
      Former Member

      According to the list that was updated 2 days ago SAP AG is undergoing the phase "Coordination" which doesn't sound too promising...

      Author's profile photo Martin Voros
      Martin Voros

      I don't have any experience with FIPS validation process but based on this definition of coordination it's impossible to tell if it's promising or not. Every testing/review results in some comments/issues that need to be addressed. It really depends on how serious the findings are. That table also shows that most of the products are in this category. So it's really hard to tell.

      Cheers

      Author's profile photo Annette Fuchs
      Annette Fuchs
      Blog Post Author

      Hi Dirk, and all others who commented on this blog,

      SAP submitted all evaluation results and required documentation to the certification body NIST/CMVP in April 2013.

      In the "coordination phase" the NIST/CMVP specialists comment on the submitted documents and are in exchange with the validating certification lab. Sometimes these discussions can be very long and extensive and also there happen to be delays because the involved people are not always available. The clarification process seems to be finished by now but we have not heard back from NIST/CMVP, yet. SAP has no influence on the process, its progress or the speed in which its is conducted.

      Author's profile photo Dirk Van Wie
      Dirk Van Wie

      Annette, thank you for the feedback.  At one point last year, I had a copy of the FIPS 140.2 certification from the TuV.  Is that something you could post or otherwise make available?

      Author's profile photo Annette Fuchs
      Annette Fuchs
      Blog Post Author

      I just received information from our evaluation lab that NIST/CMVP requested another change to our security policy. The required change should be the last one and will be submitted within this week. According to the lab the certificate should be there soon then.

      Author's profile photo Former Member
      Former Member

      Any updates on this?