All posts
September 10, 20251 min read

SQL*Plus in a FIPS 140-3 World

FIPS 140-3 is not just a checkbox. It’s a federal cryptographic standard. If you connect to an Oracle database with SQL*Plus in a FIPS 140-3 enforced environment, every handshake, every cipher, every random number matters. The wrong algorithm and the connection fails. The right one and your queries run. Simple. Brutal. SQL*Plus, by default, may not align with a locked-down FIPS 140-3 policy. Older configurations rely on cryptographic modules that no longer meet the bar. Oracle Database and its

Free White Paper

FIPS 140-3 + Just-in-Time Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

FIPS 140-3 is not just a checkbox. It’s a federal cryptographic standard. If you connect to an Oracle database with SQL*Plus in a FIPS 140-3 enforced environment, every handshake, every cipher, every random number matters. The wrong algorithm and the connection fails. The right one and your queries run. Simple. Brutal.

SQL*Plus, by default, may not align with a locked-down FIPS 140-3 policy. Older configurations rely on cryptographic modules that no longer meet the bar. Oracle Database and its client tools can run in a FIPS-validated mode, but only when built, configured, and run with modules that match the NIST-approved set. This means OpenSSL or Oracle's PKCS#11 implementation must be set to FIPS mode before SQL*Plus starts. It means no SHA-1, no non-approved curves, no weak random sources.

When FIPS 140-3 is enabled at the OS or network stack, SQL*Plus negotiates TLS using only approved ciphers. If anything in the chain is out of compliance—driver, listener, wallet—your session dies before login. To pass, the SQLNET.ORA and SSL configurations must explicitly point to FIPS-validated libraries. The database wallet must store keys with an approved cipher suite. The handshake must succeed without downgrade.

Continue reading? Get the full guide.

FIPS 140-3 + Just-in-Time Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Many break their workflow here. They toggle FIPS mode, run sqlplus user@db, and hit ORA-28860 or similar errors. The fix is often in matching tools and libraries to the security mode: installing the right Oracle Instant Client build, configuring TLS 1.2+ with approved suites, loading the correct crypto provider, and validating with openssl version -fips.

Testing the pipeline matters. Run the client in an environment with enforced FIPS mode, use verbose SSL logging, and confirm the cipher suite name in the connection output. Audit certificates for key length and algorithm approval. Confirm no fallback to non-FIPS modules under load.

With SQL*Plus and FIPS 140-3, passing is binary. You meet the standard or you fail the connection.

If you want to build, test, and prove this in minutes without touching production, try it on hoop.dev. Spin up an environment, enforce FIPS mode, run SQL*Plus, and watch the handshake succeed. Security compliance is real when you can see it live.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts