The Federal Information Processing Standards or FIPS are standards developed by the United States government for computer systems that set requirements for, among other things, cryptography.
Microsoft no longer recommends enabling FIPS unless it is required by government regulations.
FIPS policy enforcement only exists on .NET Framework.
The Particular Software Platform is not FIPS compatible, and no testing is done to ensure components will work properly on FIPS-enabled hardware. The platform currently uses System. classes only for hashing, and not for data security purposes.
There are workarounds that allow running NServiceBus and the Particular Service Platform on the .NET Framework on servers with FIPS enforcement enabled, but these workarounds are also not tested or verified in any way.
NServiceBus
Starting in version 10.2, NServiceBus can use a non-cryptographic hash algorithm (XxHash128) to generate deterministic unique identifiers for endpoints, also known as host identifiers (HostIds). Because XxHash128 is not a cryptographic algorithm, FIPS policy enforcement does not block host identifier generation; the host ID workaround described below is no longer needed.
To ensure the non-cryptographic hash is used in NServiceBus 10, set the following AppContext switch before endpoint startup:
AppContext.SetSwitch("NServiceBus.Core.Hosting.UseV2DeterministicGuid", true);
Or via environment variable:
DOTNET_NServiceBus_Core_Hosting_UseV2DeterministicGuid=true
Or via MSBuild in a project file:
<ItemGroup>
<RuntimeHostConfigurationOption Include="NServiceBus.Core.Hosting.UseV2DeterministicGuid" Value="true" />
</ItemGroup>
Changing the host identifier algorithm changes the host ID that identifies an endpoint in ServicePulse and ServiceControl. Changes to the algorithm will cause existing known endpoints to appear inactive in the ServicePulse heartbeats and monitoring views while new instances (with the changed host identifiers) appear in their place. Stale instances should be removed from the monitoring view.
See the NServiceBus version 10 to 11 upgrade guide for more information on migrating from MD5 to the XxHash128 hash algorithm.
Component libraries
The following packages use MD5 and cannot be used with FIPS enforcement enabled:
- NServiceBus.RavenDB - Uses MD5 to create shortened keys for subscriptions and saga lookup properties.
- NServiceBus.Gateway - Uses MD5 to ensure integrity of received data.
- NServiceBus.Distributor.Msmq: Uses MD5 to shorten long queue names.
Disable enforcement of FIPS
ServiceControl and ServicePulse also use MD5 internally and will require disabling FIPS enforcement to run properly. As these tools do not execute user code and can be audited as 100% open source, it is sometimes possible to obtain a waiver to run these tools with a configuration flag that instructs the .NET Framework to skip enforcement of FIPS even when configured to do so at the server level with group policy.
FIPS enforcement can be disabled by setting the runtime setting enforceFIPSPolicy to false in the application's app.config or web.config. See the MSDN article on how to change this setting.