This documentation supports the 20.02 (12.0) version of BMC Discovery.

To view an earlier version of the product, select the version from the Product version menu.

Running in FIPS compliant mode

The Federal Information Processing Standard (FIPS) Publication 140-2, is a computer security standard, developed by a U.S. Government and industry working group to validate the quality of cryptographic modules.

FIPS Publication 140-2 can be downloaded from the National Institute of Standards and Technology (NIST) web site.

In previous versions you needed to enable NSS to ensure full FIPS compliance. You no longer need to do this.

  • New installations of BMC Discovery20.02.02 (12.0. patch 2) use the SSLFIPS directive to enable FIPS.
  • Systems upgraded to BMC Discovery 20.02.02 (12.0. patch 2) that have not previously had FIPS enabled use the SSLFIPS directive to enable FIPS.
  • Systems upgraded to BMC Discovery 20.02.02 (12.0. patch 2) that have previously used FIPS with NSS enabled, continue to use FIPS with NSS enabled. Although the BMC Discovery system continues to use FIPS with NSS enabled, we recommend that you replace NSS with SSLFIPS.

BMC Discovery and FIPS

Enabling FIPS mode ensures that BMC Discovery uses only FIPS compliant cryptographic algorithms and FIPS compliant keys, though some functionality is not supported in FIPS mode, such as using SMB file systems for export or backup. FIPS mode requires that you provide the FIPS compliant SSL keys.

When not running in FIPS mode, BMC Discovery still uses FIPS compliant cryptographic algorithms where possible.

To fully enable strict FIPS compliance, you must install BMC Discovery from the kickstart DVD replacing the install or custom options with installfips or customfips. Enabling FIPS during the kickstart means that all keys and certificates generated during installation will be generated with FIPS compliant algorithms. For more information on the FIPS compliance on CentOS, see the equivalent Red Hat documentation.

You cannot mount a Windows share from a FIPS enabled appliance. The mount operation fails and an error message is written to syslog.

Note

  • To enable FIPS, you either install with installfips or run the tw_fips_control command after installation. Installation using the installfips option does not require that tw_fips_control is run again after installation.
  • The tw_fips_control command is not fully FIPS compliant because during installation, any keys and certificates that are generated are not FIPS compliant. Further, the tw_fips_control command does not re-generate existing keys and/or certificates.

To enable FIPS mode on the appliance

To enable FIPS mode, you must run a script if you have not used the installfips installation option. The script modifies the boot configuration file and regenerates the boot-time kernel but does not regenerate any keys or certificates already generated. The script requires a reboot once complete. Any modifications that have been made to the boot configuration components may conflict with FIPS mode configuration or have untoward effects.

To enable FIPS mode on the appliance:

  1. Login to the appliance command line as the root user.
  2. Run the tw_fips_control script with the --enable option.

    [root@appliance01 ~]# /usr/tideway/bin/tw_fips_control --enable
    
    
    This script will enable or disable FIPS 140-2 mode on your Discovery appliance.
    The script must be run as the root user and FIPS 140-2 mode is only supported
    on CentOS release 7 based Discovery appliances.
    
    Please note: To enable FIPS 140-2 mode the script will modify the system's boot
    configuration files (GRUB) and regenerate the boot-time kernel. Any manual
    modifications made to these components may conflict with FIPS 140-2 mode
    configuration or have untoward effects.
    
    A reboot is required if the current kernel mode needs to change. The script will
    notify the user if this is the case.
    
    Do you want to continue to enable FIPS 140-2 mode (yes/no)? yes
    
    
    Starting FIPS 140-2 mode configuration.
    Gathering current state of the system.
    Enabling FIPS 140-2 mode.
    Rebuilding initramfs - this may take a few minutes.
    Enable FIPS 140-2 mode in grub.
    
    Configuration complete. Please reboot to enable FIPS 140-2 mode.
    
    
    [root@appliance01 ~]#  

Disabling FIPS mode on the appliance is accomplished by running the tw_fips_control script with the --disable option. The script modifies the boot configuration file and regenerates the boot-time kernel. This requires a reboot. You do not need to replace SSL keys after disabling FIPS mode.

To enable FIPS mode on the proxy

When installing a proxy the installation detects whether the Windows host is running in FIPS mode. If the host is running in FIPS mode, and you are upgrading from a very old Windows proxy version, you must replace the SSL key before running the proxy. The installer displays a dialog stating this when you install a proxy onto a FIPS enabled host.

For information on using Windows in FIPS mode, see this Microsoft knowledge base article.

To enable FIPS mode on the Discovery Outpost

When installing a Discovery Outpost the installation detects whether the Windows host is running in FIPS mode.For information on using Windows in FIPS mode, see this Microsoft knowledge base article.


Replacing NSS with SSLFIPS in upgraded systems

Systems upgraded to BMC Discovery 20.02.02 (12.0. patch 2) that have previously used FIPS with NSS enabled, continue to use FIPS with NSS enabled. Although the BMC Discovery system continues to use FIPS with NSS enabled, we recommend that you replace NSS with SSLFIPS.

To replace NSS with SSLFIPS

Once you have upgraded to BMC Discovery 20.02.02 (12.0. patch 2) and tested that the system operates correctly, you can replace NSS with SSLFIPS. You must perform this procedure at the command line as the root user on each appliance in the system. To do this:

  1. Create a temporary working directory to store files used in the procedure.

    [root@appliance01 ~]# mkdir /usr/tideway/nsstmp/
  2. Verify the location of the NSS certificate database. Check the /etc/httpd/conf.d/nss.conf  and look for the NSSCertificateDatabase entry.
    It should be: /usr/tideway/nssdb
  3. From the same file, make a note of the location and name of the passphrase file. This is under the NSSPassPhraseDialog entry.   This will be required in future steps.
  4. List the certificates held in the NSS Database. Enter:

    [root@appliance01 ~]#  certutil -L -d  <NSS DB> -h all
    Certificate Nickname        Trust Attributes
                                SSL,S/MIME,JAR/XPI
    
    ADDM-Server-Cert            u,u,u
    [root@appliance01 ~]# 
  5. Export a certificate in PEM format to the /usr/tideway/nsstmp/ directory. Enter:

    [root@appliance01 ~]# certutil -L -d /usr/tideway/nssdb -n ADDM-Server-Cert -a > /usr/tideway/nsstmp/server.crt
  6. Create a single PKCS #12 file. This file is used to extract the private key. Enter:

    [root@appliance01 ~]# pk12util -d /usr/tideway/nssdb -k /etc/httpd/conf.d/password_file -n ADDM-Server-Cert -o /usr/tideway/nsstmp/output.p12
  7. Export the encrypted RSA key from the PKCS #12 file. Enter:

    [root@appliance01 ~]# openssl pkcs12 -in /usr/tideway/nsstmp/output.p12 -out /usr/tideway/nsstmp/server.key -nocerts -nodes
  8. Move the NSS configuration file to the temporary directory. Enter:

    [root@appliance01 ~]# mv /etc/httpd/conf.d/nss.conf /usr/tideway/nsstmp/
  9. Copy the certificate and key to the https configuration directory. Enter:

    [root@appliance01 ~]# cp /usr/tideway/nsstmp/server.crt /usr/tideway/etc/https/server.crt
    [root@appliance01 ~]# cp /usr/tideway/nsstmp/server.key /usr/tideway/etc/https/server.key
  10. Restart the cluster manager service. Enter:

    [root@appliance01 ~]# systemctl restart cluster

    The 12.0.0.2 appliance/cluster should now be running with SSLFIPS.

  11. In the UI, navigate to Administration > Appliance Configuration and view the Identification tab. Ensure that FIPS 140-2 Enabled is shown.


Was this page helpful? Yes No Submitting... Thank you

Comments