To use FIPS mode, you must change your application code to use functions, methods, and attributes that use algorithms approved by the National Institute of Standards and Technology (NIST). Here are the basic code changes:

  1. Replace use of the ENCODE function with the GENERATE-PASSWORD-HASH function. GENERATE-PASSWORD-HASH requires that you select a NIST-approved algorithm and a salt value.
  2. Replace the algorithm specified in the ENCRYPT and DECRYPT functions with a NIST-approved algorithm, if necessary.
  3. Replace the algorithm specified in the SECURITY-POLICY:PBE-HASH-ALGORITHM attribute with a NIST-approved algorithm, if necessary.
  4. Replace the algorithm specified in the SECURITY-POLICY:SYMMETRIC-ENCRYPTION-ALGORITHM attribute with a NIST-approved algorithm, if necessary.
  5. If using the GENERATE-PBE-KEY function, set the PBE-ALGORITHM attribute to PBKDF2 and use a salt value that is 16-512 bytes in size.
    Note: You will need to regenerate stored PBE keys.
  6. Discontinue use of the MD5-DIGEST function and SHA1-DIGEST function.
  7. Replace the algorithm specified in the MESSAGE-DIGEST function with a NIST-approved algorithm, if encrypted.
  8. Replace use of the AUDIT-POLICY:ENCRYPT-AUDIT-MAC-KEY() method with the SECURITY-POLICY:ENCODE-PASSWORD() method.
Important: You will also need to manually convert your data to approved ciphers before enabling FIPS Mode in your OpenEdge environment, if you are using non-NIST-approved algorithms.