ArcGIS Server 10 on W2K8R2 and FIPS compliant algorithms for encryption

[weiland00]

I have recently had to migrate to a new W2K8R2 server and took the opportunity to move ArcGIS Server 10. The Web Post Install would not run on the server which was not joined to the domain (i.e. no GPOs). ESRI support had me disable the security policy > "System cryptography: Use FIPS compliant algorithms for encryption" in the local security policy and everything worked. Upon joining the server to the domain, a GPO re-enabled that policy and blocks the ability to disable it in order to comply with DOD security policies. Now the SOM/SOC still work but the Web end points fail.

ESRI customer support pointed me to a bug report (NIM067659) and says that the only solution is to disable the "System cryptography: Use FIPS compliant algorithms for encryption" policy- which isn't possible under the GPOs and ESRI's technical documents (http://resources.arcgis.com/content/...ity_compliance) clearly state that "Esri products are compatible with enabling the “Use FIPS compliant algorithms for encryption, hashing, and signing” security setting in Windows XP and later versions of Windows".

Has anyone else found a solution to this as I can't be the only DOD user to run up against this problem?

Thanks,

[rkilinski]

I don't have a solution, however; am experiencing the same problem on my server (W2K8 Standard SP2 x64, ArcGIS 10).

If anyone has a solution, please post.

Thank you!

[avel5840]

Please call Tech Support and reference NIM045209. There are possible work-arounds to this issue.

Thanks,

Avi

[weiland00]

Please call Tech Support and reference NIM045209. There are possible work-arounds to this issue.

Thanks,

Avi

I had a ticket open in march (Esri Incident #1022761) but the work arounds were not permitted by the IT staff- so I slicked and reloaded the server with W2K8sp1 & AGS 10sp4. Not ideal but it works.

[dgalluzzo]

You can disable the FIPS check within the .Net Framework by editting the machine file.
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG

<runtime>
<enforceFIPSPolicy enabled="false"/>
</runtime>

This will tell .Net not to enforce the windows policy and allows the policy to remain enabled.

[weiland00]

Thanks, good to know in case this bug is still in effect when I replace the server in 3 years.

[rkilinski]

I had a ticket open with ESRI about this FIPS compliance issue with ArcGIS Server .NET 10.0 (ESRI Incident #1068560). I need to run ArcGIS Server on a FIPS enabled server using REST endpoints and SOAP connections. I was asked to try a registry edit by the initial technician. Once that was proven to not work, he said that there was nothing he could do to assist and offered to escalate the issue. The second technician stated,

...I see that the following bug has been logged and is currently in "high priority" status:

#NIM045209 Enabling the 'System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing' causes ArcGIS Server Manager, Services Directory, and Web services to no longer work.

There is a workaround for the SOAP connections (http://server/arcgis/services) but there are no workarounds for anything else, including the REST endpoint, to leave the FIPS enabled. At this point all you can do from your end is contact your ESRI rep. and let them know how important this bug is for your organization to be fixed.

There isn't anything else we can do in Tech Support until the bug is fixed.

I then asked about the Java version of the application and was told:

The java version of Server 10.0 is fully FIPS compliant. The java version has the same functionality as the .net version. The only difference is everything is done in java language rather than .net. So if you are creating custom web applications you will need to know java language rather than .net. The other big difference is the java version is served out from a web server like tomcat. The .net is served from IIS. Those are the biggest differences between the two versions.

We are currently pushing to update all ESRI products to the latest versions and am installing 10.1 (sp1 will be released in a few days and will apply that). I have a question in for ESRI about FIPS compliance with the new version but I am not holding my breath. I am installing the Java version and will report back on how it works. I hope this post can help someone!