StreamBase .NET client application fails to run on a FIPS-enabled machine
Article ID: KB0076096
Updated On:
| Products | Versions |
|---|---|
| TIBCO Streaming | - |
Description
The machine running a StreamBase .NET client application is FIPS-enabled ('Enable' set to 1 in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy), and produces the error:
ERROR [PGE:ESPReceiver] Exception(subscribe Ex): Message: Exception has been thrown by the target of an invocation.InnerException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. Source: mscorlib StackTrace: at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor) at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args) at System.Security.Cryptography.MD5.Create() at StreamBase.SB.Schema.GetHash() at StreamBase.SB.Schema.InitFromUnmanaged(Schema* pImpl, Dictionary`2 schemaMap) at StreamBase.SB.StreamProperties..ctor(StreamProperties* props) at StreamBase.SB.Client.StreamBaseClient.Subscribe(String sStreamName) at PG_StreamBaseClientImpl.subscribe(PG_StreamBaseClientImpl* , PSC_String* outputStreamName)
Issue/Introduction
A StreamBase .NET client application fails to run on a FIPS-enabled machine
Resolution
Several of the cryptographic algorithms used in the StreamBase product are not FIPS-compliant. This includes the MD5 hash used on schemas and the SHA-1 encryption used on connection passwords.
In a .NET runtime environment where FIPS compliance is required, the reason a .NET application fails (but not sbd or the Java and C++ clients) is that Microsoft built safeguards into the .NET runtime only. Microsoft doesn't own Java, and the requirement is unenforceable in C++, so those can still run - but it doesn't make them FIPS-compliant.
The question becomes: Do you want StreamBase to be fully FIPS-compliant, or do you just want to run it at all costs on a FIPS-enabled machine knowing full well you're not compliant? If the former, this is not available in the StreamBase platform; If the latter, the only options are to re-implement your client in Java or C++.
Previous feature requests have been entered, however Engineering has made no commitments to making StreamBase FIPS-compliant at this time.
In a .NET runtime environment where FIPS compliance is required, the reason a .NET application fails (but not sbd or the Java and C++ clients) is that Microsoft built safeguards into the .NET runtime only. Microsoft doesn't own Java, and the requirement is unenforceable in C++, so those can still run - but it doesn't make them FIPS-compliant.
The question becomes: Do you want StreamBase to be fully FIPS-compliant, or do you just want to run it at all costs on a FIPS-enabled machine knowing full well you're not compliant? If the former, this is not available in the StreamBase platform; If the latter, the only options are to re-implement your client in Java or C++.
Previous feature requests have been entered, however Engineering has made no commitments to making StreamBase FIPS-compliant at this time.
Feedback
Yes
No
Powered by
