Installing FIPS certified packages on SUSE Linux Enterprise Server 15 SP6 and SP7

SUSE has certified and is currently certifying various cryptographic modules for FIPS 140-3 on SUSE Linux Enterprise Server 15 SP6.

Nearly all of those modules certified on SLES 15 SP6 can also be used on SLES 15 SP7, and for this purpose they are delivered to the SLES 15 SP7 Certifications Module.

The modules consists of the RPMs listed in below table (note, occasionally its multiple RPMs, all need to be installed at the specified version).

To install them:

Enable the Certifications Module via regular registration workflows (no separate subscription required, it is part of the SLES subscription)

This is only needed on SUSE Linux Enterprise Server 15 SP7. On SP6 they are in the regular Basesystem module.

Install the certified RPM(s):
zypper in -f RPMNAME-VERSION-RELEASE
example:
zypper in -f libopenssl-3-fips-provider-3.1.4-150600.5.15.1

Lock the RPM(s) to avoid future upgrades
zypper addlock RPMNAME
example:
zypper addlock libopenssl-3-fips-provider

Please note that on future updates the update stack will be report conflicts.

When given a conflict resolution choice, always select the option that has only “Do not install patch SUSE-SLE-Module-Basesystem-15-SP7-ID” entries.

Do not select options with “remove lock” or “downgrade” actions.

Also FIPS mode needs to be enabled according to the documentation. One way is to do as root:


zypper in crypto-policies-scripts
fips-mode-setup --enable
reboot