3.4 Configuring FIPS

Change Guardian offers enhanced protection against security threats and compliance with United States federal government standards by supporting FIPS. Change Guardian leverages the FIPS 140-2 compliant features to meet the security requirements of United States federal agencies and customers with highly secure environments. Change Guardian is re-certified by Common Criteria at EAL3+ and provides FIPS 140-2 Inside.

Complete the following steps to configure FIPS:

  1. To convert Change Guardian Server:

  2. To convert javos services:

  3. To convert ams service:

To convert Change Guardian Server:

  1. As a root user, ensure that Mozilla Network Security Services (NSS) and Mozilla NSS Tools are installed on the Change Guardian server.

    NOTE:As a root user, ensure that Mozilla Network Security Services (NSS) and Mozilla NSS Tools are installed on the Change Guardian server.

  2. (Conditional) If you want to change the keystore password:

    1. At the Change Guardian server command prompt, switch to novell user.

    2. Change directory to <installation_directory>/opt/novell/sentinel/bin, and run the following command: ./chg_keystore_pass.sh

    Follow the on-screen prompts to change the web server keystore passwords. You need this password later during this procedure.

  3. Switch to root user.

  4. Change directory to <installation_directory>/opt/novell/sentinel/bin, and run the following command:

    ./convert_to_fips.sh

    1. Specify n to backup the server.

    2. Provide a password that meets the stated criteria. This password is required later during this procedure.

    3. Specify y to insert external certificates in the keystore database.

  5. Specify the path of the Elasticsearch certificate:

    <installation_directory>/opt/novell/sentinel/3rdparty/elasticsearch/config/http.pks

  6. Specify the alias name of the certificate.

  7. Specify y to restart the Sentinel server.

  8. Ensure that the file <installation_directory>/var/opt/novell/sentinel/log/server0.0.log contains the following entry:

    Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade

    Upgrading EventDestination.Upgrade to fips compatible

    Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade

    records updated=1 data={"service-host":"Server_Name","password":"Encrypted_Password","protocol":"vosrestdispatcher:rest

To convert javos services:

  1. Change directory to <installation_directory>/opt/netiq/cg/javos/bin, and run the following command:

    ./convert_to_fips.sh

    1. Provide the password for the FIPS keystore database (the password you created in Step 4.b).

    2. When prompted to restart the javos service, select y.

  2. Ensure that the following entry is present in the <installation_directory>/opt/netiq/cg/javos/log/javos.log file:

    Creating a FIPS SSL listener on 8094

To convert ams service:

  1. Change directory to <installation_directory>/opt/netiq/ams/ams/bin, and run the following command:

    ./convert_to_fips.sh

    1. Specify a password for the FIPS keystore database.

    2. When prompted to restart the Agent Manager service, select y.

  2. Ensure that the <installation_directory>/opt/netiq/ams/ams/log/ams.log file contains the following entry:

    INFO [Date_Timestamp,446] com.netiq.commons.security.FIPSProvider: Running in FIPS mode. Changing the SSL security provider from JSSE to FIPS. <installation_directory>/opt/netiq/ams/ams/security/nss

3.4.1 Configuring Data Federation in FIPS Mode

To allow distributed searches across multiple Change Guardian servers running in FIPS 140-2 mode, add or import certificates used for secure communication to the FIPS keystore.

Adding Certificates

To add certificates:

  1. Log in to the distributed search source computer.

  2. Browse to the following certificate directory:

    cd /etc/opt/novell/sentinel/config/

  3. Copy the source certificate (sentinel.cer) to a temporary location on the requestor computer.

  4. Import the source certificate into the FIPS keystore of the requestor server.

    For more information about importing the certificate, see Importing certificates into the FIPS keystore database.

  5. Log in to the distributed search requestor computer.

  6. Browse to the following certificate directory:

    cd /etc/opt/novell/sentinel/config

  7. Copy the requestor certificate (sentinel.cer) to a temporary location on the source computer.

  8. Import the requestor system certificate into the FIPS keystore of the source server.

    For more information about importing the certificate, see Importing certificates into the FIPS keystore database.

Importing Certificates

To import:

  1. Copy the certificate file to any temporary location on the Change Guardian server or remote Collector Manager.

  2. Change the ownership of the certificate to novell user:

    chown novell:novell /<path to certificate>

  3. Change the permission of the certificate:

    chmod 644 /<path to certificate>

  4. Switch to novell user.

  5. Browse to the Sentinel bin directory.

    The default location is /opt/novell/sentinel/bin.

  6. Import the certificate into the FIPS keystore database, and then follow the on-screen instructions:

    ./convert_to_fips.sh -i <certificate file path>

  7. Enter yes or y when prompted to restart the Change Guardian server or remote Collector Manager.