Running in FIPS compliant mode
The Federal Information Processing Standard (FIPS) Publication 140-2, is a computer security standard, developed by a U.S. Government and industry working group to validate the quality of cryptographic modules.
FIPS Publication 140-2 can be downloaded from the National Institute of Standards and Technology (NIST) website.
In previous versions, you needed to enable NSS to ensure full FIPS compliance. You no longer need to do this.
- New installations of BMC Discovery20.02.02 (12.0. patch 2) use the SSLFIPS directive to enable FIPS.
- Systems upgraded to BMC Discovery 20.02.02 (12.0. patch 2) that have not previously had FIPS enabled use the SSLFIPS directive to enable FIPS.
- Systems upgraded to BMC Discovery 20.02.02 (12.0. patch 2) that have previously used FIPS with NSS enabled, continue to use FIPS with NSS enabled. Although the BMC Discovery system continues to use FIPS with NSS enabled, we recommend that you replace NSS with SSLFIPS.
FIPS 140-2 compliant means you are using FIPS 140-2 compliant algorithms.
FIPS 140-2 certified (can be referred to as validated) means you are using a certified implementation of FIPS 140-2 algorithms. The certification is a formal process where the code must be validated by one of a group NIST laboratories.
Certification and compliance
The BMC Discovery appliance and the Outpost use FIPS 140-2 compliant algorithms so are FIPS 140-2 compliant.
On Linux, for theBMC Discovery, when FIPS mode is enabled we use the Red Hat certified implementation so the appliance is compliant and certified.
On Windows, when FIPS mode is enabled the BMC Discovery Outpost and Windows Proxies use the OpenSSL certified implementation (the OpenSSL FIPS module). However, because of a technical incompatibility with SNMP v3 discovery requests, the discovery worker processes run by the Outpost service _cannot_ use the FIPS module. Consequently, the Outpost and Windows Proxies are FIPS 140-2 compliant but do not always use certified implementations.
BMC Discovery and FIPS
Enabling FIPS mode ensures that BMC Discovery uses only FIPS-compliant cryptographic algorithms and FIPS compliant keys, though some functionality is not supported in FIPS mode, such as using SMB file systems for export or backup. FIPS mode requires that you provide the FIPS-compliant SSL keys.
When not running in FIPS mode, BMC Discovery still uses FIPS-compliant cryptographic algorithms where possible.
To fully enable strict FIPS compliance, you must install BMC Discovery from the kickstart DVD replacing the
custom options with
customfips. Enabling FIPS during the kickstart means that all keys and certificates generated during installation will be generated with FIPS compliant algorithms. For more information on the FIPS compliance on CentOS, see the equivalent Red Hat documentation.
You cannot mount a Windows share from a FIPS-enabled appliance. The mount operation fails and an error message is written to syslog.
- To enable FIPS, you either install with
installfipsor run the t
w_fips_controlcommand after installation. Installation using the
installfipsoption does not require that
tw_fips_controlis run again after installation.
tw_fips_controlcommand is not fully FIPS compliant because during installation, any keys and certificates that are generated are not FIPS compliant. Further, the
tw_fips_controlcommand does not re-generate existing keys and/or certificates.
To enable FIPS mode on the appliance
To enable FIPS mode, you must run a script if you have not used the
installfips installation option. The script modifies the boot configuration file and regenerates the boot-time kernel but does not regenerate any keys or certificates already generated. The script requires a reboot once complete. Any modifications that have been made to the boot configuration components may conflict with FIPS mode configuration or have untoward effects.
To enable FIPS mode on the appliance:
- Login to the appliance command line as the
tw_fips_controlscript with the
Disabling FIPS mode on the appliance is accomplished by running the
tw_fips_control script with the
--disable option. The script modifies the boot configuration file and regenerates the boot-time kernel. This requires a reboot. You do not need to replace SSL keys after disabling FIPS mode.
To enable FIPS mode on the host on which the Windows proxy is installed
When installing a proxy the installation detects whether the Windows host is running in FIPS mode. If the host is running in FIPS mode, and you are upgrading from a very old Windows proxy version, you must replace the SSL key before running the proxy. The installer displays a dialog stating this when you install a proxy onto a FIPS-enabled host.
For information on using Windows in FIPS mode, see this Microsoft knowledge base article.
To enable FIPS mode on the server where Discovery Outpost is installed
When installing a Discovery Outpost the installation detects whether the Windows host is running in FIPS mode. For information on using Windows in FIPS mode, see this Microsoft knowledge base article.
Replacing NSS with SSLFIPS in upgraded systems
Systems upgraded to BMC Discovery 20.02.02 (12.0. patch 2) that have previously used FIPS with NSS enabled, continue to use FIPS with NSS enabled. Although the BMC Discovery system continues to use FIPS with NSS enabled, we recommend that you replace NSS with SSLFIPS.
To replace NSS with SSLFIPS
Once you have upgraded to BMC Discovery 20.02.02 (12.0. patch 2) and tested that the system operates correctly, you can replace NSS with SSLFIPS. You must perform this procedure at the command line as the root user on each appliance in the system. To do this:
Create a temporary working directory to store files used in the procedure.
- Verify the location of the NSS certificate database. Check the
/etc/httpd/conf.d/nss.confand look for the
It should be:
- From the same file, make a note of the location and name of the passphrase file. This is under the
NSSPassPhraseDialogentry. This will be required in future steps.
List the certificates held in the NSS Database. Enter:
Export a certificate in PEM format to the
Create a single PKCS #12 file. This file is used to extract the private key. Enter:
Export the encrypted RSA key from the PKCS #12 file. Enter:
Move the NSS configuration file to the temporary directory. Enter:
Copy the certificate and key to the https configuration directory. Enter:
Restart the cluster manager service. Enter:
The appliance or cluster should now be running with SSLFIPS.
In the UI, navigate to Administration > Appliance Configuration and view the Identification tab. Ensure that FIPS 140-2 Enabled is shown.