This documentation refers to a previously released version of BMC Discovery.
See the information on this topic for the latest version (11.1) or version 10.2.

Running in FIPS compliant mode

The Federal Information Processing Standard (FIPS) Publication 140-2, is a computer security standard, developed by a U.S. Government and industry working group to validate the quality of cryptographic modules.

FIPS Publication 140-2 can be downloaded from the National Institute of Standards and Technology (NIST) web site.

BMC Discovery and FIPS

Enabling FIPS mode ensures that BMC Discovery uses only FIPS compliant cryptographic algorithms and FIPS compliant keys, though some functionality is not supported in FIPS mode, such as using SMB file systems for export or backup. FIPS mode requires that you provide the FIPS compliant SSL keys.

When not running in FIPS mode, BMC Discovery still uses FIPS compliant cryptographic algorithms where possible.

To fully enable strict FIPS compliance, you must install BMC Discovery from the kickstart DVD replacing the install or custom options with installfips or customfips. You must also enable NSS after enabling FIPS. For more information on the FIPS compliance, see the Red Hat website.

You cannot mount a Windows share from a FIPS enabled appliance. The mount operation fails and an error message is written to syslog.

Enabling FIPS mode on the appliance

To enable FIPS mode, you must run a script. The script modifies the boot configuration file and regenerates the boot-time kernel. This requires a reboot. Any modifications that have been made to these components may conflict with FIPS mode configuration or have untoward effects.

To enable FIPS mode on the appliance:

  1. Login to the appliance command line as the root user.
  2. Run the tw_fips_control script with the --enable option.

    [root@appliance01 ~]# /usr/tideway/bin/tw_fips_control --enable
    This script will enable or disable FIPS mode on your ADDM appliance. The script
    must be run as the root user and FIPS mode is only supported on Red Hat
    Enterprise Linux 6 based ADDM appliances.
    
    Please note: To enable FIPS mode the script will modify the system's boot
    configuration files (GRUB) and regenerate the boot-time kernel. Any manual
    modifications made to these components may conflict with FIPS mode configuration
    or have untoward effects.
    
    A reboot is required if the current kernel mode needs to change. The script will
    notify the user if this is the case.
    
    Do you want to continue to enable FIPS mode (yes/no)? yes
    
    Starting FIPS mode configuration.
    Gathering current state of the system.
    
    Enable FIPS mode in grub configuration file. 
    ----------------------------------------------------------------------------
    WARNING: The default SSL keys shipped with ADDM are NOT FIPS compliant.
    
    You MUST install your own FIPS compliant SSL keys if you have not already done
    so. Failure to install FIPS compliant keys will mean that ADDM services will
    not start.
    ----------------------------------------------------------------------------
    
    Configuration complete. Please reboot to enable FIPS mode.
    [root@appliance01 ~]#  

Disabling FIPS mode on the appliance is accomplished by running the tw_fips_control script with the --disable option. The script modifies the boot configuration file and regenerates the boot-time kernel. This requires a reboot. You do not need to replace SSL keys after disabling FIPS mode.

Enabling FIPS mode on the proxy

When installing a proxy the installation detects whether the Windows host is running in FIPS mode. If the host is running in FIPS mode, and you are upgrading from a very old Windows proxy version, you must replace the SSL key before running the proxy. The installer displays a dialog stating this when you install a proxy onto a FIPS enabled host.

For information on using Windows in FIPS mode, see this Microsoft knowledgebase article.

  • No labels

© Copyright 2003-2017 BMC Software, Inc.
Legal notices