FIPS Mode Event Messages

EFT Server displays FIPS-related messages when switching to/from FIPS modes, starting/restarting EFT Server or Site, making administration interface connections, or managing certificates. EFT Server presents messages in the administration interface and in the Windows Event Log and allows you to correct the error. That is:

FIPS Mode Messages in the administration interface

EFT Server displays the following FIPS-related messages in the administration interface.

<SITENAME> will be started with the following protocols: FIPS compliant protocols: <FIPSPROTOCOLS> Non-FIPS protocols: <NONFIPS> To ensure FIPS compliant operation, please enable only FIPS compliant protocols.

msg_sitestart_fips.gif

When EFT Server is in SSL or SSH FIPS mode, this message reports which Site protocols are FIPS-secured and which are not each time the Administrator explicitly starts the Site (e.g., clicks Go).

The EFT Server is stopped: FIPS mode initialization error. All sites and protocols are disabled.

This warning message appears upon new administration connections if FIPS fails to initialize. FIPS can fail to initialize because EFT Server could not load the FIPS library or the library self-test failed. When this occurs, EFT Server is stopped and all Sites and protocols are disabled.

An error occurred while attempting to start EFT Server. FIPS mode initialization error; all sites and protocols have been disabled.

This message appears in the administration interface during Server start or restart when FIPS fails to initialize. FIPS can fail to initialize because EFT Server could not load the FIPS library or the library self-test failed. When this occurs, EFT Server is stopped and all Sites and protocols are disabled.

An error occurred while attempting to start Site ‘<SITE_NAME>. The SSL certificate provided for Site ‘<SITE_NAME>’ has an improper key length.  FIPS 140-2 mode requires keys between 1024 and 4096 bits (inclusive).  Please choose a different certificate, or generate a new one that has at least 1024 but no more than 4096 bits in the public key.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

An error occurred while attempting to start Site ‘<SITE_NAME>’. Could not load SSL certificate.

This message appears during Site start/restart if a Site uses SSL and its certificate does not meet FIPS requirements (e.g., FIPS mode gets turned on and old certificate/key does not pass the FIPS test). The Site is stopped.

An error occurred while attempting to start Site ‘<SITE_NAME>. The SFTP key provided has an improper key length. FIPS 140-2 mode requires keys between 1024 and 4096 bits (inclusive). Please choose a different key, or generate a new one that has at least 1024 but no more than 4096 bits in the public key.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

An error occurred while attempting to start Site ‘<SITE_NAME>’. Could not load SFTP certificate.

This message appears during Site start/restart if a Site uses SFTP and its key does not meet FIPS requirements (e.g., FIPS mode gets turned on and old certificate/key does not pass the FIPS test). The Site is stopped.

The Site <SITE_NAME> is not started: [SSL certificate | SFTP key] is too weak and does not meet FIPS 140-2 requirements. Clients will not be able to connect to the Site.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

The Site <SITE_NAME> is not started: could not load  [SSL certificate | SFTP key]. Clients will not be able to connect to the Site.

This warning message appears during new administration interface connections if a Site uses SSL and its certificate does not meet FIPS requirements or uses SFTP and its key does not meet FIPS requirements (e.g., FIPS mode gets turned on and old certificate/key does not pass the FIPS test). The Site is stopped.

EFT Server SSL certificate for remote administration is not an approved size (must be at least 1024 but no more than 4096 bits). Administrators will not be able to connect to EFT Server remotely.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

EFT Server SSL certificate for remote administration is broken. Administrators will not be able to connect to EFT Server remotely.

This warning message is used in to notify all connected administration interfaces if the SSL certificate for remote administration does not meet FIPS requirements. Remote administration connections via SSL are not accepted.

EFT Server SSL certificate for remote administration is too weak and does not meet FIPS 140-2 requirements. Administrators will not be able to connect to EFT Server remotely.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

EFT Server SSL certificate for remote administration is broken. Administrators will not be able to connect to EFT Server remotely.

This warning message is used during new administration interface connections if the SSL certificate for remote administration does not meet FIPS requirements. Remote administration connections via SSL are not accepted.

EFT Server [SSL | SSH] subsystem has entered FIPS mode. All new connections over [SSL | SSH] will use EFT Server’s FIPS certified cryptographic libraries.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

EFT Server [SSL | SSH] subsystem has exited FIPS mode. All new connections over [SSL | SSH] will use EFT Server’s standard (non-FIPS) cryptographic libraries.

These informational messages appear in the administration interface to notify all connected administration interfaces when an administrator explicitly switches SSL or SSH FIPS mode or FIPS mode is disabled due to trial expiration.

FIPS Mode Events in the Event Log

EFT Server displays the following FIPS-related events in the Windows Event Log.

GlobalSCAPE EFT Server - FIPS [SSL|SSH] mode initialization error; all sites and protocols are disabled.

This error message appears in the Event Log upon the EFT Server service start or restart if FIPS fails to initialize. FIPS can fail to initialize because EFT Server could not load the FIPS library or the library self-test failed. When this occurs, EFT Server service is stopped and all Sites and protocols are disabled.

GlobalSCAPE EFT Server - FIPS mode initialization error for site "<SITE_NAME>": the specified [SFTP key|SSL certificate key] is not an approved size (must be at least 1024 but no more than 4096 bits). The site has not been started.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

GlobalSCAPE EFT Server - FIPS mode initialization error for site "<SITE_NAME>": the specified [SFTP key|SSL certificate] is broken. The site has not been started.

This message appears during Site start/restart if a Site uses SSL and its certificate does not meet FIPS requirements or uses SFTP and its key does not meet FIPS requirements (e.g., FIPS mode gets turned on and old certificate/key does not pass the FIPS test). The Site is stopped.

EFT Server SSL certificate for remote administration is not an approved size (must be at least 1024 but no more than 4096 bits). Administrators will not be able to connect to EFT Server remotely.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

EFT Server SSL certificate for remote administration is broken. Administrators will not be able to connect to EFT Server remotely.

This warning message appears in the Event Log if the SSL certificate for remote administration does not meet FIPS requirements. Remote administration connections via SSL are not accepted.

EFT Server [SSL | SSH] subsystem has entered FIPS mode. All new connections over [SSL | SSH] will use EFT Server’s FIPS certified cryptographic libraries.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

EFT Server [SSL | SSH] subsystem has exited FIPS mode. All new connections over [SSL | SSH] will use EFT Server’s standard (non-FIPS) cryptographic libraries.

This informational messages appear in the Event Log when an administrator explicitly switches SSL or SSH FIPS mode or FIPS mode is disabled due to trial expiration.

GlobalSCAPE EFT Server - FIPS [SSL|SSH] mode initialized successfully; operating in compliance with FIPS 140-2.

This informational message appears in the Event Log every time the EFT Server service starts or restarts to report its successful FIPS mode initialization.