The Federal Information Processing Standard (FIPS) Publication 140-2, is a computer security standard, developed by a U.S. Government and industry working group to validate the quality of cryptographic modules.
FIPS Publication 140-2 can be downloaded from the National Institute of Standards and Technology (NIST) web site.
Enabling FIPS mode ensures that BMC Atrium Discovery uses only FIPS compliant cryptographic algorithms and FIPS compliant keys, though some functionality is not supported in FIPS mode, such as using SMB file systems for export or backup. FIPS mode requires that you provide the FIPS compliant SSL keys.
When not running in FIPS mode, BMC Atrium Discovery still uses FIPS compliant cryptographic algorithms where possible.
To fully enable strict FIPS compliance, you must install BMC Atrium Discovery from the kickstart DVD replacing the
custom options with
customfips. For more information on the FIPS compliance, see the Red Hat website.
FIPS mode is only available for BMC Atrium Discovery 9.0 and later versions running on Red Hat Enterprise Linux 6. If you have upgraded an appliance from an earlier version, FIPS mode is not available.
To determine whether your appliance is running on RHEL5 check the footer of any UI page. The last line displays the release and build number, and if the appliance is running on RHEL5 it is stated between the release number and build number.
You cannot mount a Windows share from a FIPS enabled appliance. The mount operation fails and an error message is written to syslog.
Before enabling FIPS mode, you must replace the standard SSL keys on the appliance and any existing proxies with your own FIPS compliant SSL keys. To enable FIPS mode, you must run a script. The script modifies the boot configuration file and regenerates the boot-time kernel. This requires a reboot. Any modifications that have been made to these components may conflict with FIPS mode configuration or have untoward effects.
To enable FIPS mode on the appliance:
tw_fips_controlscript with the
Disabling FIPS mode on the appliance is accomplished by running the
tw_fips_control script with the
--disable option. The script modifies the boot configuration file and regenerates the boot-time kernel. This requires a reboot. You do not need to replace SSL keys after disabling FIPS mode.
When installing a proxy the installation detects whether the Windows host is running in FIPS mode. If the host is running in FIPS mode, you must replace the SSL key before running the proxy. The installer displays a dialog stating this when you install a proxy onto a FIPS enabled host.
For information on using Windows in FIPS mode, see this Microsoft knowledgebase article.