FIPS Mode Event Messages

EFT Server displays FIPS-related messages when switching to/from FIPS modes, starting/restarting EFT Server or Site, making Administrator interface connections, or managing certificates. EFT Server presents messages in the Administrator interface and in the Windows Event Log and allows you to correct the error. That is:

A FIPS initialization error at Server startup does not stop the EFT Server service. Instead, the service is started and listening for administrator connections, but the Sites are stopped so that you can connect, get diagnostics, disable FIPS mode, and so on.
An administrator SSL certificate failure at Server startup does not stop the EFT Server service immediately. Instead, EFT Server starts, but does not accept SSL administrative connections. The administrator is able to login locally, get diagnostics, replace the certificate, and so on.
An administrator SSL certificate failure after SSL FIPS mode switching does not stop the EFT Server service. Instead, EFT Server continues working, but does not accept SSL administrative connections. The Administrator can connect to replace the certificate, and so on.

FIPS Mode Messages in the Administrator

EFT Server displays the following FIPS-related messages in the EFT Server Administrator interface.

<SITENAME> will be started with the following protocols: FIPS compliant protocols: <FIPSPROTOCOLS> Non-FIPS protocols: <NONFIPS> To ensure FIPS compliant operation, please enable only FIPS compliant protocols.

When EFT Server is in SSL or SSH FIPS mode, this message reports which Site protocols are FIPS-secured and which are not each time the Administrator explicitly starts the Site (e.g., clicks Go).

The EFT Server is stopped: FIPS mode initialization error. All sites and protocols are disabled.

This warning message appears upon new Administration connections if FIPS fails to initialize. FIPS can fail to initialize because EFT Server could not load the FIPS library or the library self-test failed. When this occurs, EFT Server is stopped and all Sites and protocols are disabled.

An error occurred while attempting to start EFT Server. FIPS mode initialization error; all sites and protocols have been disabled.

This message appears in the Administrator interface during Server start or restart when FIPS fails to initialize. FIPS can fail to initialize because EFT Server could not load the FIPS library or the library self-test failed. When this occurs, EFT Server is stopped and all Sites and protocols are disabled.

An error occurred while attempting to start Site ‘<SITE_NAME>. The SSL certificate provided for Site ‘<SITE_NAME>’ has an improper key length. FIPS 140-2 mode requires keys between 1024 and 4096 bits (inclusive). Please choose a different certificate, or generate a new one that has at least 1024 but no more than 4096 bits in the public key.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

An error occurred while attempting to start Site ‘<SITE_NAME>’. Could not load SSL certificate.

This message appears during Site start/restart if a Site uses SSL and its certificate does not meet FIPS requirements (e.g., FIPS mode gets turned on and old certificate/key does not pass the FIPS test). The Site is stopped.

An error occurred while attempting to start Site ‘<SITE_NAME>. The SFTP key provided has an improper key length. FIPS 140-2 mode requires keys between 1024 and 4096 bits (inclusive). Please choose a different key, or generate a new one that has at least 1024 but no more than 4096 bits in the public key.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

An error occurred while attempting to start Site ‘<SITE_NAME>’. Could not load SFTP certificate.

This message appears during Site start/restart if a Site uses SFTP and its key does not meet FIPS requirements (e.g., FIPS mode gets turned on and old certificate/key does not pass the FIPS test). The Site is stopped.

The Site <SITE_NAME> is not started: [SSL certificate | SFTP key] is too weak and does not meet FIPS 140-2 requirements. Clients will not be able to connect to the Site.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

The Site <SITE_NAME> is not started: could not load [SSL certificate | SFTP key]. Clients will not be able to connect to the Site.

This warning message appears during new Administrator interface connections if a Site uses SSL and its certificate does not meet FIPS requirements or uses SFTP and its key does not meet FIPS requirements (e.g., FIPS mode gets turned on and old certificate/key does not pass the FIPS test). The Site is stopped.

EFT Server SSL certificate for remote administration is not an approved size (must be at least 1024 but no more than 4096 bits). Administrators will not be able to connect to EFT Server remotely.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

EFT Server SSL certificate for remote administration is broken. Administrators will not be able to connect to EFT Server remotely.

This warning message is used in to notify all connected Administrator interfaces if the SSL certificate for remote administration does not meet FIPS requirements. Remote administration connections via SSL are not accepted.

EFT Server SSL certificate for remote administration is too weak and does not meet FIPS 140-2 requirements. Administrators will not be able to connect to EFT Server remotely.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

EFT Server SSL certificate for remote administration is broken. Administrators will not be able to connect to EFT Server remotely.

This warning message is used during new Administrator interface connections if the SSL certificate for remote administration does not meet FIPS requirements. Remote administration connections via SSL are not accepted.

EFT Server [SSL | SSH] subsystem has entered FIPS mode. All new connections over [SSL | SSH] will use EFT Server’s FIPS certified cryptographic libraries.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

EFT Server [SSL | SSH] subsystem has exited FIPS mode. All new connections over [SSL | SSH] will use EFT Server’s standard (non-FIPS) cryptographic libraries.

These informational messages appear in the Administrator interface to notify all connected Administrator interfaces when an administrator explicitly switches SSL or SSH FIPS mode or FIPS mode is disabled due to trial expiration.

FIPS Mode Events in the Event Log

EFT Server displays the following FIPS-related events in the Windows Event Log.

GlobalSCAPE EFT Server - FIPS [SSL|SSH] mode initialization error; all sites and protocols are disabled.

This error message appears in the Event Log upon the EFT Server service start or restart if FIPS fails to initialize. FIPS can fail to initialize because EFT Server could not load the FIPS library or the library self-test failed. When this occurs, EFT Server service is stopped and all Sites and protocols are disabled.

GlobalSCAPE EFT Server - FIPS mode initialization error for site "<SITE_NAME>": the specified [SFTP key|SSL certificate key] is not an approved size (must be at least 1024 but no more than 4096 bits). The site has not been started.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

GlobalSCAPE EFT Server - FIPS mode initialization error for site "<SITE_NAME>": the specified [SFTP key|SSL certificate] is broken. The site has not been started.

This message appears during Site start/restart if a Site uses SSL and its certificate does not meet FIPS requirements or uses SFTP and its key does not meet FIPS requirements (e.g., FIPS mode gets turned on and old certificate/key does not pass the FIPS test). The Site is stopped.

EFT Server SSL certificate for remote administration is not an approved size (must be at least 1024 but no more than 4096 bits). Administrators will not be able to connect to EFT Server remotely.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

EFT Server SSL certificate for remote administration is broken. Administrators will not be able to connect to EFT Server remotely.

This warning message appears in the Event Log if the SSL certificate for remote administration does not meet FIPS requirements. Remote administration connections via SSL are not accepted.

EFT Server [SSL | SSH] subsystem has entered FIPS mode. All new connections over [SSL | SSH] will use EFT Server’s FIPS certified cryptographic libraries.

or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):

EFT Server [SSL | SSH] subsystem has exited FIPS mode. All new connections over [SSL | SSH] will use EFT Server’s standard (non-FIPS) cryptographic libraries.

This informational messages appear in the Event Log when an administrator explicitly switches SSL or SSH FIPS mode or FIPS mode is disabled due to trial expiration.

GlobalSCAPE EFT Server - FIPS [SSL|SSH] mode initialized successfully; operating in compliance with FIPS 140-2.

This informational message appears in the Event Log every time the EFT Server service starts or restarts to report its successful FIPS mode initialization.

Did this topic solve your problem/answer your question?

- For the most up-to-date information regarding EFT Server and its modules;

- To view version history, updates, and activation instructions;

- To download a PDF of this user guide;

- And to search the Knowledge Base and User Forum,

Visit the GlobalSCAPE Support Center, http://www.globalscape.com/support .

Refer to Copyright Information for copyright information.

Last modified: October 14, 2009