Use FIPS-compliant encryption algorithms for Microsoft Dynamics AX Retail

In Microsoft Dynamics AX Retail, encryption algorithms are used to encrypt EFT credentials, the Real-time Service password, cashier and channel database passwords, and device tokens.

The encryption algorithms that you use can be configured to be compliant with FIPS (Federal Information Processing Standard). FIPS is a security standard that all government contractors, non-military government agencies and vendors working with government agencies must follow regarding encryption, document processing, and other IT products and services. FIPS specifies which encryption algorithms and hashing algorithms can be used, and how encryption keys are to be generated and managed.

Use FIPS-compliant algorithms in a retail environment

By default in applications that are built on the Microsoft .NET platform, a set of algorithm names is mapped to a set of FIPS non-compliant algorithms. For more information about the default mapping, see HashAlgorithm.Create Method (String). However, the .NET platform enables cryptographic agility, which means that the code is not required to use a specific algorithm or a specific implementation of that algorithm. You can modify a .NET application to use a secure hashing algorithm without changing code or issuing a hotfix.

Change the default algorithm mappings by completing the following procedure.

Warning

This change will affect all of the .NET applications that run on the computer.

  1. Locate the machine.config file for the server. Typically, this file is located in the %runtime install path%\Config directory. Note that the file location may be different for different versions of the .NET Framework.

    For more information about machine.config files, see Machine Configuration Files.

  2. Open the machine.config file and map the algorithm names to the preferred algorithms. Use the full name of the target algorithm in the mapping.

    <mscorlib>
        <cryptographySettings>
          <cryptoNameMapping>        
            <cryptoClasses>
              <cryptoClass MyPreferredHash="System.Security.Cryptography.SHA512CryptoServiceProvider, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
            </cryptoClasses>        
            <nameEntry name="SHA512" class="MyPreferredHash"/>        
          </cryptoNameMapping>
        </cryptographySettings>
      </mscorlib>
    
  3. After the mapping has been updated, enter the algorithm names in the Retail shared parameters form. (Click Retail > Setup > Parameters > Retail shared parameters.) Retail uses the algorithm name to create the hash algorithm that is used by the system to encrypt credentials. For more information, see Retail shared parameters (form).

Announcements: To see known issues and recent fixes, use Issue search in Microsoft Dynamics Lifecycle Services (LCS).