Activating FIPS compliance
If BMC Remedy Encryption Performance Security or BMC Remedy Encryption Premium Security 19.02 is installed on a server, use the FIPS Enabled option in the Encryption tab (see Encryption tab) in conjunction with the Security Policy setting to switch compliance with Federal Information Processing Standard (FIPS) 140-2 on or off:
FIPS Enabled option | Security Policy value | Is server FIPS compliant? | Description |
---|---|---|---|
Selected | Required | Yes |
|
Selected | Disabled | No | Clients communicating with the server cannot communicate with FIPS-compliant servers. |
Cleared | Optional, Required, or Disabled | No | Clients communicating with the server cannot communicate with FIPS-compliant servers. |
For an overview of FIPS, see FIPS encryption options in BMC Remedy ITSM Deployment documentation.
Note
For Java-based clients such as BMC Remedy Developer Studio and the mid tier, the first server that a client connects to determines whether the client is restricted to interacting with FIPS-compliant or noncompliant servers. Logging out of the client does not terminate the FIPS restriction. Instead, the client must be restarted.
Transition tips
If you are in the process of converting to a FIPS-compliant environment, consider these tips:
- Do not select the FIPS Enabled option for a server until all clients that must communicate with that server have the appropriate BMC Remedy Encryption Performance Security or BMC Remedy Encryption Premium Security 19.02 installed.
- During the transition phase, set the Security Policy to Optional on all servers that have BMC Remedy Encryption Performance Security or BMC Remedy Encryption Premium Security 19.02 installed so that they can communicate with clients that have not yet been upgraded to 19.02.
- Be aware that when a server's Security Policy is set to Optional and a client cannot support the encryption algorithm (such as AES) required by the server, communication between the server and client is unencrypted.
To activate FIPS compliance
- Ensure that one of these products is installed on the appropriate BMC Remedy AR System server and on any clients that will communicate with the server:
- BMC Remedy Encryption Performance Security 19.02
BMC Remedy Encryption Premium Security 19.02
Note
You can also activate FIPS compliance while installing these products. See Installing BMC Remedy Encryption Security in BMC Remedy ITSM Deployment documentation.
- Log on to the server.
- Open the AR System Administration Console.
- Click System > General > Server Information.
- In the AR System Administration: Server Information form, click the Encryption tab.
- In the New Encryption Settings area, select the FIPS Enabled option.
- In the Security Policy list, select Required.
In the Data Key Details area, select an AES algorithm.
See Configuring the data key.Note
DES and RC4 algorithms are not FIPS compliant.
- In the Public Key Details area, select an RSA algorithm.
See Configuring the public key. - Click Apply.
Restart the server.
In the AR System server configuration file, servers use one of these encryption configurations when FIPS compliance is on:Encryption level
Centralized configuration file settings
Performance
Encrypt-Security-Policy: 1
Encrypt-Data-Encryption-Algorithm: 8
Premium
Encrypt-Security-Policy: 1
Encrypt-Data-Encryption-Algorithm: 9
- Relog on to any clients that are connected to the server.
- From AR System Administration: Plugin Server Configuration form update the following settings:
- Set integer to 8 (Performance Security) or 9 (Premium Security):
<dataEncryptionAlg> integer</dataEncryptionAlg> - Ensure that integer is set to 1 (Required).
<encryptionPolicy> integer</encryptionPolicy>
- Set integer to 8 (Performance Security) or 9 (Premium Security):
- Save the settings.
- Restart the Java plug-in server.
Comments
Log in or register to comment.