×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

 

This documentation supports the 20.08 (12.1) version of BMC Discovery.

To view an earlier version of the product, select the version from the Product version menu.

BMC Discovery 20.08 Security

Running in FIPS compliant mode

The Federal Information Processing Standard (FIPS) Publication 140-2, is a computer security standard, developed by a U.S. Government and industry working group to validate the quality of cryptographic modules.

FIPS Publication 140-2 can be downloaded from the National Institute of Standards and Technology (NIST) website.

In previous versions, you needed to enable NSS to ensure full FIPS compliance. You no longer need to do this.

  • New installations of BMC Discovery20.02.02 (12.0. patch 2) use the SSLFIPS directive to enable FIPS.
  • Systems upgraded to BMC Discovery 20.02.02 (12.0. patch 2) that have not previously had FIPS enabled use the SSLFIPS directive to enable FIPS.
  • Systems upgraded to BMC Discovery 20.02.02 (12.0. patch 2) that have previously used FIPS with NSS enabled, continue to use FIPS with NSS enabled. Although the BMC Discovery system continues to use FIPS with NSS enabled, we recommend that you replace NSS with SSLFIPS.

FIPS terminology

FIPS 140-2 compliant means you are using FIPS 140-2 compliant algorithms.

FIPS 140-2 certified (can be referred to as validated) means you are using a certified implementation of FIPS 140-2 algorithms. The certification is a formal process where the code must be validated by one of a group NIST laboratories.

Certification and compliance

The BMC Discovery appliance and the Outpost use FIPS 140-2 compliant algorithms so are FIPS 140-2 compliant. 

On Linux, for theBMC Discovery, when FIPS mode is enabled we use the Red Hat certified implementation so the appliance is compliant and certified.

On Windows, when FIPS mode is enabled the BMC Discovery Outpost and Windows Proxies use the OpenSSL certified implementation (the OpenSSL FIPS module). However, because of a technical incompatibility with SNMP v3 discovery requests, the discovery worker processes run by the Outpost service _cannot_ use the FIPS module. Consequently, the Outpost and Windows Proxies are FIPS 140-2 compliant but do not always use certified implementations.

BMC Discovery and FIPS

Enabling FIPS mode ensures that BMC Discovery uses only FIPS-compliant cryptographic algorithms and FIPS compliant keys, though some functionality is not supported in FIPS mode, such as using SMB file systems for export or backup. FIPS mode requires that you provide the FIPS-compliant SSL keys.

When not running in FIPS mode, BMC Discovery still uses FIPS-compliant cryptographic algorithms where possible.

To fully enable strict FIPS compliance, you must install BMC Discovery from the kickstart DVD replacing the install or custom options with installfips or customfips. Enabling FIPS during the kickstart means that all keys and certificates generated during installation will be generated with FIPS compliant algorithms. For more information on the FIPS compliance on CentOS, see the equivalent Red Hat documentation.

You cannot mount a Windows share from a FIPS-enabled appliance. The mount operation fails and an error message is written to syslog.

Note

  • To enable FIPS, you either install with installfips or run the tw_fips_control command after installation. Installation using the installfips option does not require that tw_fips_control is run again after installation.
  • The tw_fips_control command is not fully FIPS compliant because during installation, any keys and certificates that are generated are not FIPS compliant. Further, the tw_fips_control command does not re-generate existing keys and/or certificates.

To enable FIPS mode on the appliance

To enable FIPS mode, you must run a script if you have not used the installfips installation option. The script modifies the boot configuration file and regenerates the boot-time kernel but does not regenerate any keys or certificates already generated. The script requires a reboot once complete. Any modifications that have been made to the boot configuration components may conflict with FIPS mode configuration or have untoward effects.

To enable FIPS mode on the appliance:

  1. Login to the appliance command line as the root user.

  2. Run the tw_fips_control script with the --enable option.

    [root@appliance01 ~]# /usr/tideway/bin/tw_fips_control --enable


This script will enable or disable FIPS 140-2 mode on your Discovery appliance.
The script must be run as the root user and FIPS 140-2 mode is only supported
on CentOS release 7 based Discovery appliances.

Please note: To enable FIPS 140-2 mode the script will modify the system's boot
configuration files (GRUB) and regenerate the boot-time kernel. Any manual
modifications made to these components may conflict with FIPS 140-2 mode
configuration or have untoward effects.

A reboot is required if the current kernel mode needs to change. The script will
notify the user if this is the case.

Do you want to continue to enable FIPS 140-2 mode (yes/no)? yes


Starting FIPS 140-2 mode configuration.
Gathering current state of the system.
Enabling FIPS 140-2 mode.
Rebuilding initramfs - this may take a few minutes.
Enable FIPS 140-2 mode in grub.

Configuration complete. Please reboot to enable FIPS 140-2 mode.


[root@appliance01 ~]#

Disabling FIPS mode on the appliance is accomplished by running the tw_fips_control script with the --disable option. The script modifies the boot configuration file and regenerates the boot-time kernel. This requires a reboot. You do not need to replace SSL keys after disabling FIPS mode.

To enable FIPS mode on the host on which the Windows proxy is installed

When installing a proxy the installation detects whether the Windows host is running in FIPS mode. If the host is running in FIPS mode, and you are upgrading from a very old Windows proxy version, you must replace the SSL key before running the proxy. The installer displays a dialog stating this when you install a proxy onto a FIPS-enabled host.

For information on using Windows in FIPS mode, see this Microsoft knowledge base article.

To enable FIPS mode on the server where Discovery Outpost is installed

When installing a Discovery Outpost the installation detects whether the Windows host is running in FIPS mode. For information on using Windows in FIPS mode, see this Microsoft knowledge base article.

Replacing NSS with SSLFIPS in upgraded systems

Systems upgraded to BMC Discovery 20.02.02 (12.0. patch 2) that have previously used FIPS with NSS enabled, continue to use FIPS with NSS enabled. Although the BMC Discovery system continues to use FIPS with NSS enabled, we recommend that you replace NSS with SSLFIPS.

To replace NSS with SSLFIPS

Once you have upgraded to BMC Discovery 20.02.02 (12.0. patch 2) and tested that the system operates correctly, you can replace NSS with SSLFIPS. You must perform this procedure at the command line as the root user on each appliance in the system. To do this:

  1. Create a temporary working directory to store files used in the procedure.

    [root@appliance01 ~]# mkdir /usr/tideway/nsstmp/
  2. Verify the location of the NSS certificate database. Check the /etc/httpd/conf.d/nss.conf  and look for the NSSCertificateDatabase entry.
    It should be: /usr/tideway/nssdb
  3. From the same file, make a note of the location and name of the passphrase file. This is under the NSSPassPhraseDialog entry.   This will be required in future steps.

  4. List the certificates held in the NSS Database. Enter:

    [root@appliance01 ~]#  certutil -L -d  <NSS DB> -h all
Certificate Nickname        Trust Attributes
                            SSL,S/MIME,JAR/XPI

ADDM-Server-Cert            u,u,u
[root@appliance01 ~]#

  5. Export a certificate in PEM format to the /usr/tideway/nsstmp/ directory. Enter:

    [root@appliance01 ~]# certutil -L -d /usr/tideway/nssdb -n ADDM-Server-Cert -a > /usr/tideway/nsstmp/server.crt

  6. Create a single PKCS #12 file. This file is used to extract the private key. Enter:

    [root@appliance01 ~]# pk12util -d /usr/tideway/nssdb -k /etc/httpd/conf.d/password_file -n ADDM-Server-Cert -o /usr/tideway/nsstmp/output.p12

  7. Export the encrypted RSA key from the PKCS #12 file. Enter:

    [root@appliance01 ~]# openssl pkcs12 -in /usr/tideway/nsstmp/output.p12 -out /usr/tideway/nsstmp/server.key -nocerts -nodes

  8. Move the NSS configuration file to the temporary directory. Enter:

    [root@appliance01 ~]# mv /etc/httpd/conf.d/nss.conf /usr/tideway/nsstmp/

  9. Copy the certificate and key to the https configuration directory. Enter:

    [root@appliance01 ~]# cp /usr/tideway/nsstmp/server.crt /usr/tideway/etc/https/server.crt
[root@appliance01 ~]# cp /usr/tideway/nsstmp/server.key /usr/tideway/etc/https/server.key

  10. Restart the cluster manager service. Enter:

    [root@appliance01 ~]# systemctl restart cluster

    The appliance or cluster should now be running with SSLFIPS.

  11. In the UI, navigate to Administration > Appliance Configuration and view the Identification tab. Ensure that FIPS 140-2 Enabled is shown.


Was this page helpful? Yes No Submitting... Thank you
Last modified by Vinay Bellare on Feb 23, 2022
ee-wk bmc-contributor patch_02 patch_20_02_02

Comments

Log in or register to comment.

STIG rules for RHEL7
PCI Data Security Standard compliance
© Copyright 2004 - 2022 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.