Enabling FIPS on a Container

FIPS mode is supported on local, and remote connectors and Collectors running version 4.7.5 or later, but certain connectors do not support FIPS mode. For information about which connectors do not support FIPS mode, see the Installing FIPS-Compliant SmartConnectors document at ArcSight SmartConnectors documentation. Before enabling FIPS on a container that contains connectors running as a service, review the caveats listed in that document.

FIPS is disabled by default on ArcSight Management Center, but can be enabled as described under FIPS 140-2 . After FIPS is enabled on the appliance, you can enable FIPS on a container. Any FIPS-compliant connector in that container (or one which is added later) will automatically communicate in FIPS mode.

A FIPS Suite B certificate must be uploaded manually, regardless of the connector destination, as described in under “Enabling FIPS Suite B on a Container”, below.

You enable or disable FIPS using the same procedure.

To enable or disable FIPS mode on a container:

  1. Click Node Management.

  2. In the navigation tree, navigate to the host on which the container resides.

  3. Click the Containers tab.

  4. On the Containers tab, select one or more containers for which to enable FIPS.

  5. Click FIPS.

  6. Follow the instructions in the wizard to update FIPS status.

Check that the appropriate CA certificates are in the trust store so that the connectors in the container can validate their configured destinations successfully. If necessary, add the appropriate certificates to the container.

Note: A 32-bit FIPS connector enabled cannot be remotely managed if it is installed on a 64-bit Linux system.

Enabling FIPS Suite B on a Container

Managed connectors can communicate in FIPS Suite B mode with their destination. A FIPS Suite B certificate must be imported manually and applied to the container, regardless of the connector destination.

Before you perform the following procedure, make sure FIPS mode is enabled on ArcSight Management Center, as described in FIPS 140-2 .

To enable FIPS Suite B on a container:

  1. Export the certificate for the connector destination (either ArcSight Manager or Logger) to a temporary directory. For example, on ArcSight Manager, from $ARCSIGHT_HOME/current/bin, specify the following command: ./arcsight runcertutil -L -n mykey -r -d /opt/arcsight/manager/config/jetty/nssdb -o /tmp/managercert.cer
  2. Upload the certificate from the temporary directory to the CA Certs Repository, as described in CA Certs Repository .
  3. Enable FIPS on the container as described above.
  4. Add the certificate on the container, as described in Managing Certificates on a Container .
  5. Click Node Management.
  6. In the navigation tree, navigate to the host on which the container resides.
  7. Click the Containers tab.
  8. On the Containers tab, select one or more containers for which to enable FIPS Suite B.
  9. Click FIPS.
  10. Follow the instructions in the wizard to update FIPS Suite Bstatus.