Running in FIPS compliant mode
The Federal Information Processing Standard (FIPS) Publication 140-2, is a computer security standard, developed by a U.S. Government and industry working group to validate the quality of cryptographic modules.
FIPS Publication 140-2 can be downloaded from the National Institute of Standards and Technology (NIST) web site.
In previous versions you needed to enable NSS to ensure full FIPS compliance. You no longer need to do this.
- New installations of BMC Discovery20.02.02 (12.0. patch 2) use the SSLFIPS directive to enable FIPS.
- Systems upgraded to BMC Discovery 20.02.02 (12.0. patch 2) that have not previously had FIPS enabled use the SSLFIPS directive to enable FIPS.
- Systems upgraded to BMC Discovery 20.02.02 (12.0. patch 2) that have previously used FIPS with NSS enabled, continue to use FIPS with NSS enabled. Although the BMC Discovery system continues to use FIPS with NSS enabled, we recommend that you replace NSS with SSLFIPS.
BMC Discovery and FIPS
Enabling FIPS mode ensures that BMC Discovery uses only FIPS compliant cryptographic algorithms and FIPS compliant keys, though some functionality is not supported in FIPS mode, such as using SMB file systems for export or backup. FIPS mode requires that you provide the FIPS compliant SSL keys.
When not running in FIPS mode, BMC Discovery still uses FIPS compliant cryptographic algorithms where possible.
To fully enable strict FIPS compliance, you must install BMC Discovery from the kickstart DVD replacing the
custom options with
customfips. Enabling FIPS during the kickstart means that all keys and certificates generated during installation will be generated with FIPS compliant algorithms. For more information on the FIPS compliance on CentOS, see the equivalent Red Hat documentation.
You cannot mount a Windows share from a FIPS enabled appliance. The mount operation fails and an error message is written to syslog.
- To enable FIPS, you either install with
installfipsor run the t
w_fips_controlcommand after installation. Installation using the
installfipsoption does not require that
tw_fips_controlis run again after installation.
tw_fips_controlcommand is not fully FIPS compliant because during installation, any keys and certificates that are generated are not FIPS compliant. Further, the
tw_fips_controlcommand does not re-generate existing keys and/or certificates.
To enable FIPS mode on the appliance
To enable FIPS mode, you must run a script if you have not used the
installfips installation option. The script modifies the boot configuration file and regenerates the boot-time kernel but does not regenerate any keys or certificates already generated. The script requires a reboot once complete. Any modifications that have been made to the boot configuration components may conflict with FIPS mode configuration or have untoward effects.
To enable FIPS mode on the appliance:
- Login to the appliance command line as the
tw_fips_controlscript with the
Disabling FIPS mode on the appliance is accomplished by running the
tw_fips_control script with the
--disable option. The script modifies the boot configuration file and regenerates the boot-time kernel. This requires a reboot. You do not need to replace SSL keys after disabling FIPS mode.
To enable FIPS mode on the proxy
When installing a proxy the installation detects whether the Windows host is running in FIPS mode. If the host is running in FIPS mode, and you are upgrading from a very old Windows proxy version, you must replace the SSL key before running the proxy. The installer displays a dialog stating this when you install a proxy onto a FIPS enabled host.
For information on using Windows in FIPS mode, see this Microsoft knowledge base article.
To enable FIPS mode on the Discovery Outpost
Replacing NSS with SSLFIPS in upgraded systems
Systems upgraded to BMC Discovery 20.02.02 (12.0. patch 2) that have previously used FIPS with NSS enabled, continue to use FIPS with NSS enabled. Although the BMC Discovery system continues to use FIPS with NSS enabled, we recommend that you replace NSS with SSLFIPS.
To replace NSS with SSLFIPS
Once you have upgraded to BMC Discovery 20.02.02 (12.0. patch 2) and tested that the system operates correctly, you can replace NSS with SSLFIPS. You must perform this procedure at the command line as the root user on each appliance in the system. To do this:
Create a temporary working directory to store files used in the procedure.
- Verify the location of the NSS certificate database. Check the
/etc/httpd/conf.d/nss.confand look for the
It should be:
- From the same file, make a note of the location and name of the passphrase file. This is under the
NSSPassPhraseDialogentry. This will be required in future steps.
List the certificates held in the NSS Database. Enter:
Export a certificate in PEM format to the
Create a single PKCS #12 file. This file is used to extract the private key. Enter:
Export the encrypted RSA key from the PKCS #12 file. Enter:
Move the NSS configuration file to the temporary directory. Enter:
Copy the certificate and key to the https configuration directory. Enter:
Restart the cluster manager service. Enter:
The 18.104.22.168 appliance/cluster should now be running with SSLFIPS.
In the UI, navigate to Administration > Appliance Configuration and view the Identification tab. Ensure that FIPS 140-2 Enabled is shown.