FIPS Module Specification: Difference between revisions

FIPS Module Specification (view source)

Revision as of 01:45, 8 June 2006

560 bytes added , 8 June 2006

→‎Approved Mode of Operation

Wtchang

canmove, Confirmed users

937

edits

@@ Line 84: / Line 84: @@
 ===Approved Mode of Operation===
-In order to run the NSS module in the FIPS approved mode, an attribute must be explicitly set on the module. This can be done programmatically with a call to SECMOD_DeleteInternalModule() (with the module to delete being the internal module):
+In order to run the NSS module in the FIPS Approved mode, an attribute must be explicitly set on the module. This can be done programmatically with a call to [http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/pk11wrap/pk11util.c.dep.html#SECMOD_DeleteInternalModule SECMOD_DeleteInternalModule()] (with the module to delete being the internal module):
 <pre>
      SECMODModule *internal;
@@ Line 98: / Line 98: @@
      }
 </pre>
-or by running the NSS module utility '''modutil'''. An example command line is below.
+or by running the NSS module utility [http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html '''modutil''']. An example command line is below:
-     modutil -fips true -dbdir certdir
+     modutil -fips true -dbdir <i>directory</i>
+where <code><i>directory</i></code> is the directory that contains the NSS databases.
-The setting is permanent for the NSS module and all subsequent invocations of NSS functions using that cert directory will be in FIPS mode. The module can be taken out of FIPS mode by substituting ''false'' for ''true'' in the command above. The state of the module can be checked with:
+The setting is permanent for the NSS module and all subsequent invocations of NSS functions using that cert directory will be in FIPS mode. The module can be taken out of FIPS mode by substituting <code>false</code> for <code>true</code> in the command above. The state of the module can be checked with:
-     modutil -chkfips true -dbdir certdir
+     modutil -chkfips true -dbdir <i>directory</i>
-or with a call to PK11_IsFIPS().
+where <code><i>directory</i></code> is the directory that contains the NSS databases, or with a call to [http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/pk11wrap/pk11util.c.dep.html#PK11_IsFIPS PK11_IsFIPS()].
 ===Design Specification===