KB003355

Issue

An error occurs when you open SmartForms (Runtime or Designer sites) on a server where an administrator has enabled FIPS or where a Group Policy enforces it. The error occurs because K2 does not use FIPS-compliant .NET classes for hashing and signing purposes.

Error message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

The Local Security Policy: "System Cryptography: Use FIPS compliant algorithms for encryption, hashing and signing".

You can use this article to address the issue without disabling FIPS enforcement.

Workaround

Since the release of K2 Five (5.0), the configuration setting enforceFIPSPolicy is set to false in application configuration files for all K2 services. This prevents the error when the Setup Manager or K2 Host Server launch on FIPS-enforced servers.

To allow SmartForms to work on FIPS-enforced servers, create a new CLRConfigFile config file with the enforceFIPSPolicy property set to false, and then assign the configuration file to the SmartForms Application Pool in IIS.

Steps

1. Create a new configuration file with the contents of the code block below. K2 recommends you store the file in the K2 root folder, for example, C:Program FilesK2AppPool.config
   <?xml version="1.0" encoding="UTF-8" ?>
   <configuration>
       <runtime>
           <legacyUnhandledExceptionPolicy enabled="false" />
           <legacyImpersonationPolicy enabled="true"/>
           <alwaysFlowImpersonationPolicy enabled="false"/>
           <SymbolReadingPolicy enabled="1" />
           <shadowCopyVerifyByTimestamp enabled="true"/>
           <enforceFIPSPolicy enabled="false"/>
       </runtime>
       <startup useLegacyV2RuntimeActivationPolicy="true" />
   </configuration>
2. Assign the config file to the Application Pool. The IIS GUI does not have a way to do this so you must use the command prompt.
   1. Open the CMD command prompt as an administrator.
   2. Run the following command; make sure to change the application pool name (highlighted in yellow) to your SmartForms application pool name and the path to the configuration file (highlighted in blue) that you created in Step 1:
      %windir%System32inetsrvappcmd.exe set config -section:system.applicationHost/applicationPools "/[name='K2 SmartForms']".CLRConfigFile:"C:Program FilesK2AppPool.config" /commit:apphost
   3. After successfully running the command, do an IISReset.

You should now be able to launch SmartForms without getting the FIPS error.

Workaround - additional configuration required for K2 blackpearl 4.7

To apply the workaround to K2 blackpearl 4.7, you need to perform the following steps in addition to the workaround steps described above.

1. In each of the following configuration files, locate the <runtime> element and add the following node:
   <enforceFIPSPolicy enabled="false" />
   
   (See the screenshot below for an example)
   • K2 blackpearlBincontrolutil.exe.config
   • K2 blackpearlHost ServerBinK2HostServer.exe.config
   • K2 blackpearlServiceBrokerBrokerManagement.exe.config
   • K2 blackpearlSetupAppDeployment.exe.config
   • K2 blackpearlSetupcontrolutil.exe.config
   • K2 blackpearlSetupDeployPackage.exe.config
   • K2 blackpearlSetupSetup.exe.config
   • K2 blackpearlSetupSourceCode.AppDeployment.exe.config
   • K2 blackpearlSetupSourceCode.SetupManager.exe.config
2. Restart the K2 server