Enabling NSS

The mod_ssl Apache library used in BMC Atrium Discovery is not FIPS 140-2 compliant. To achieve strict compliance you must modify the appliance to use mod_nss rather than mod_ssl. See the Mozilla website for an overview of NSS.

Restrictions

  • The HTTPS administration tools provided in the BMC Atrium Discovery UI should not be used after making configuration changes.
  • Any changes made to ssl.conf during upgrade are not made to nss.conf.
  • BMC Atrium Discovery upgrade may overwrite changes/re-enable SSL.

The changes that you must make to enable NSS are:

  • Import the correctly formatted certificate and key (pkcs12) into the NSS database. The database is created by this process.
  • Ensure permissions are correct on the database
  • Configure nss.conf  and disable ssl.conf

Preparing to configure NSS 

Before you can configure NSS, you must have keys in the pkcs12 format suitable for importing into the NSS database. Depending whether you generate keys using BMC Atrium Discovery, or you already have your own keys you must perform one or both of the following preparatory steps:

  • Generating self signed keys
  • Converting your keys

If you have your own keys and they are already in pkcs12 format, proceed directly to the To configure NSS procedure.

Generating self signed keys

If you do not have your own certificates and keys:

  1. Use the BMC Atrium Discovery HTTPS Configuration UI to generate self signed keys.
  2. Start the Converting your keys procedure.

Converting your keys

If you have your own keys and they are not in pkcs12 format, or if you have just generated keys using the HTTPS Configuration UI:

  1. Stop the services (tideway, cluster, omniNames, httpd, appliance).
  2. Convert your server certificate and key (server.crt and server.key).

    [root@localhost test]# openssl pkcs12 -export -in /etc/httpd/conf/ssl.crt/server.crt -inkey /etc/httpd/conf/ssl.key/server.key -out server.p12 -name "ADDM-Server-Cert" -passout pass:'Pa55wud!'

To configure NSS

  1. As the root user, create the NSS database directory.

    [root@localhost test]# mkdir /usr/tideway/nssdb
    
  2. Import the correctly formatted server certificate and key ensuring that you specify a password.

    This password will be used for NSS DB tokens (including NSS FIPS 140-2 Certificate DB) so ensure that its complexity meets requirements.
    The password requested here is not the password provided during the pkcs12 file generation but the password that will be the "NSS Certificate DB" and "NSS FIPS 140-2 Certificate DB" tokens in the NSS database. A password must be set or httpd will fail to start if NSSFips is set to on.

    This example uses /usr/tideway/nssdb to store the NSS database. The default NSS database location is /etc/httpd/alias and files are created there by the installation of the NSS RPMs supplied in the RHEL distribution. This database may have been generated with out of date binaries. To use the default location, all files under /etc/httpd/alias should be removed.

    [root@localhost test]# pk12util -i server.p12 -d /usr/tideway/nssdb -W 'Pa55wud!'
    Enter a password which will be used to encrypt your keys.
    The password should be at least 8 characters long,
    and should contain at least one non-alphabetic character.
    
    Enter new password:
    Re-enter password:
    pk12util: PKCS12 IMPORT SUCCESSFUL
    [root@localhost test]#
  3. Confirm the import using the following command:

    [root@localhost test]# certutil -L -d /usr/tideway/nssdb
    
    Certificate Nickname                                         Trust Attributes
                                                                 SSL,S/MIME,JAR/XPI
    
    ADDM-Server-Cert                                             u,u,u
    [root@localhost test]
  4. Enable FIPS token in the NSS DB

    [root@localhost test]# modutil -fips true -dbdir /usr/tideway/nssdb
    
    WARNING: Performing this operation while the browser is running could cause
    corruption of your security databases. If the browser is currently running,
    you should exit browser before continuing this operation. Type
    'q <enter>' to abort, or <enter> to continue:
    
    FIPS mode enabled.
    [root@localhost test]#
  5. Set the permissions on the NSS DB so that only the apache and root users can read or write the files

    [root@localhost tideway]# chown -R apache:apache /usr/tideway/nssdb
    [root@localhost tideway]#
  6. Create /etc/httpd/conf.d/nss.conf. This configuration replaces mod_ssl with mod_nss and uses port 443 to avoid modifications to the firewall.

    #
    # This is the Apache server configuration file providing SSL support using.
    # the mod_nss plugin.  It contains the configuration directives to instruct
    # the server how to serve pages over an https connection.
    #
    
    LoadModule nss_module modules/libmodnss.so
    
    #
    # When we also provide SSL we have to listen to the
    # standard HTTP port (see above) and to the HTTPS port
    # Using port 443 to avoid firewall modifications
    Listen 443
    
  7. NSSPassPhraseDialog builtinprompts for the database password when the httpd service is started.

    ##
    ##  SSL Global Context
    ##
    ##  All SSL configuration in this context applies both to
    ##  the main server and all SSL-enabled virtual hosts.
    ##
    
    #
    #   Some MIME-types for downloading Certificates and CRLs
    #
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl
    
    #   Pass Phrase Dialog:
    #   Configure the pass phrase gathering process.
    #   The filtering dialog program (`builtin' is a internal
    #   terminal dialog) has to provide the pass phrase on stdout.
    NSSPassPhraseDialog  builtin
    
  8. This can be replaced with the location of a file, additional details below.

    #   Pass Phrase Helper:
    #   This helper program stores the token password pins between
    #   restarts of Apache.
    NSSPassPhraseHelper /usr/sbin/nss_pcache
    
  9. The default for NSSSessionCacheTimeout is NSSSessionCacheTimeout 100. This value is set to 300, to match the BMC Atrium Discovery web server's ssl configuration.

    #   Configure the SSL Session Cache.
    #   NSSSessionCacheSize is the number of entries in the cache.
    #   NSSSessionCacheTimeout is the SSL2 session timeout (in seconds).
    #   NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
    NSSSessionCacheSize 10000
    NSSSessionCacheTimeout 300
    NSSSession3CacheTimeout 86400
    

    The NSSRandomSeed in the example is set to use /dev/urandom to avoid entropy blocking issues . The use of /dev/urandom matches the default SSL configuration when using the BMC Atrium Discovery HTTPS generation process.

    # Pseudo Random Number Generator (PRNG):
    #NSSRandomSeed startup file:/dev/random  512
    NSSRandomSeed startup file:/dev/urandom 512
    
    # TLS Negotiation configuration under RFC 5746
    #
    # Only renegotiate if the peer's hello bears the TLS renegotiation_info
    # extension. Default off.
    NSSRenegotiation off
    
    # Peer must send Signaling Cipher Suite Value (SCSV) or
    # Renegotiation Info (RI) extension in ALL handshakes.  Default: off
    NSSRequireSafeNegotiation off
    
  10. Start of the Virtual Host configuration:

    ##
    ## SSL Virtual Host Context
    ##
    
    <VirtualHost _default_:443>
    ErrorLog logs/ssl_error_log
    LogFormat "%h %l %u %t %m %U %H %>s %b"
    TransferLog logs/ssl_access_log
    LogLevel warn
    ServerName localhost.localdomain
    
    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    NSSEngine on
    
    #   Enable FIPS
    NSSFips on
    
    #   SSL Cipher Suite:
    #   List the ciphers that the client is permitted to negotiate.
    NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
    
    # Supported Protocols
    NSSProtocol TLSv1.1
    
    #   SSL Certificate Nickname:
    #   The nickname of the RSA server certificate you are going to use.
    NSSNickname ADDM-Server-Cert
    
    #   Server Certificate Database:
    NSSCertificateDatabase /usr/tideway/nssdb
    
    #   Client Authentication (Type):
    #   Client certificate verification type.  Types are none, optional and
    #   require.
    NSSVerifyClient none
    
  11. NSSVerifyClient set to none. This depends on your environment.

    #   Enforce valid certificates:
    #   Required off if using self-signed certs.
    NSSEnforceValidCerts off
    
  12. NSSEnforceValidCerts set to off to allow self-signed certificates to be present in database.

    # Redirect all UI requests to the cluster management status display if it is active
    RewriteCond /usr/tideway/var/cluster-manager-redirect-marker -f
    RewriteRule ^/ui($|/.*) /status_display/status-display.html?name=ClusterManager [R,L]
    
    # Redirect all UI requests to the ADDM upgrade status display if it is active
    RewriteCond /usr/tideway/var/upgrade-redirect-marker -f
    RewriteRule ^/ui($|/.*) /status_display/status-display.html?name=upgrade [R,L]
    
    # Redirect all UI requests to the tw_model_wipe status display if it is active
    RewriteCond /usr/tideway/var/model-wipe-redirect-marker -f
    RewriteRule ^/ui($|/.*) /status_display/status-display.html?name=model_wipe [R,L]
    
    # Redirect all UI requests if we have been ejected from the cluster
    RewriteCond /usr/tideway/var/ejected-redirect-marker -f
    RewriteRule ^/ui($|/.*) /ejected-from-cluster.html [PT,L]
    
    # Redirect all UI requests to the backup status display if it is active
    RewriteCond /usr/tideway/var/backup-redirect-marker -f
    RewriteRule ^/ui($|/.*) /status_display/status-display.html?name=backup [R,L]
    
    # Redirect all UI requests to the disk configuration status display if it is active
    RewriteCond /usr/tideway/var/disk-configuration-redirect-marker -f
    RewriteRule ^/ui($|/.*) /status_display/status-display.html?name=disk_configuration [R,L]
    
    # Redirect all UI requests if we've shutdown because of disk space
    RewriteCond /usr/tideway/var/shutdown-disk-space-marker -f
    RewriteRule ^/ui($|/.*) /shutdown-disk-space.html [PT,L]
    
    # Otherwise, redirect all UI requests if services are stopped
    RewriteCond /var/lock/subsys/tideway !-f
    RewriteRule ^/ui($|/.*) /shutdown-services.html [PT,L]
    
    # Rewrite rules for documentation
    Include conf.d/documentation.conf
    </VirtualHost>
    
    <Location /ui>
    NSSOptions +StdEnvVars +ExportCertData
    </Location>
  13. Set permissions of the /etc/httpd/conf.d/nss.conf file. The file needs to be readable by the apache user.
  14. Move out or delete /etc/httpd/conf.d/ssl.conf.
  15. Start httpd to confirm config. This requires the NSS database password.
  16. Restart all services.

Additional configuration (optional)

The following configuration steps are optional:

  • Create and use a password file
  • Enabling port 80 to port 443 redirection

Create and use a password file

Rather than being prompted for a password when starting httpd, you can use a password file. To do this:

  1. Create a file with the following contents:

    Internal:<password>
    NSS FIPS 140-2 Certificate DB:<password>
  2. The password is the password of the tokens in the NSS database. The NSSPassPhraseDialog directive should be updated to the format shown below, referring to the file created:

    NSSPassPhraseDialog file:/path/to/file

    The apache user needs to read this file but permissions should be as tight as possible, for example apache:apache 600.

Enabling port 80 to port 443 redirection

To enable port 80 to port 443 redirection,  add the following to the top of the nss.conf file.

#
# This is the Apache server configuration file providing SSL support using.
# the mod_nss plugin.  It contains the configuration directives to instruct
# the server how to serve pages over an https connection.
#

LoadModule nss_module modules/libmodnss.so

#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
# Using port 443 to avoid firewall modications
Listen 443

# Redirect port 80 to 443
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L,NE]
</VirtualHost>
Was this page helpful? Yes No Submitting... Thank you

Comments