Idea ID: 2783810

End to end encryption in OES-Client

Status : Delivered
over 2 years ago
Our security staff wish an end-to-end encryption for the whole datatraffic.

So the files will not be transferred between NCPserver and OESClient unencrypted.
  • Yes, I'll also connect with you at Universe...any US DoD supplier with CUI (Controlled, Unclassified Data) will need at least CMMC level 3 certification (outside audit of supplier security plan). CMMC (and NIST SP 800-171) require CUI to be transmitted with and stored on encryption validated to NIST FIPS 140-2 or -3. Any DoD Supplier (this includes Universities accepting government contracts with certain FARS requirements) also fall directly into this category. So we would really like to get FIPS validation of the crypto in use for NCP and NSS to start down the road of validation (it's time consuming, and there are other Micro Focus PMs going through this same process...). If end users can point to a blog post or something that state's MF's intention to validate the crypto in OES through NIST, that's a huge step that could save a lot of OES deployments in these environments. That certainly isn't everything (we need to fix eDirectory and FIPS mode in the SLE kernel, and more) but it's a good start...

  • Thanks for the connect  

     

      Although most of the crypto used in OES are within FIPS compliant, we haven't gone through the exercise of validation. Can you please send me a note on girish dot ks at microfocus dot com with more details on your use case?

     

  • I'm including , current PM over OES to reach out to you.

  • Thank you for this feature! For compliance, we need NIST FIPS validation of this and NSS crypto next please...let us know who we need to convince in Management for going through the process for OES FIPS validation...

  • This is part of the OES2018 SP2 Beta today and will generally available when SP goes Gold.