22.1 Enabling Sentinel Server to Run in FIPS 140-2 Mode

To enable the Sentinel Server to run in FIPS 140-2 mode:

  1. Log in to the Sentinel server.

  2. Switch to novell user:

    su novell

  3. Browse to the Sentinel bin directory.

  4. Run the convert_to_fips.sh script and follow the on-screen instructions.

    Add the path of the Elasticsearch http certificate <sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/config/http.pks when it prompts for the external certificate.

    (Conditional) If Elasticsearch is in cluster mode, copy all the external Elasticsearch nodes http certificate created in the section Settings in Elasticsearch for Secure Cluster Communication to the Sentinel server. Add the path of the Elasticsearch http certificate copied above <path of the certificates copied above>/<certificates name> when it prompts for the external certificate. Repeat this step to ensure all the external Elasticsearch certificates are added.

    (Conditional) If you are using the CRL feature, add the path of the client certificate <sentinel_installation_path>/etc/opt/novell/sentinel/config/.defaultRestClient.p12 when it prompts for the external certificate.

    You can either use the default client certificate (.defaultRestClient.p12) or use your own customized certificate. For more information about creating a custom certificate, see Creating and Importing a Custom Certificate.

  5. (Conditional) If your environment uses multi-factor or strong authentication:

    1. Run the create_mfa_fips_keys.sh script and follow the on-screen instructions.

      NOTE:The script requires the password for the nss database.

    2. Provide the Sentinel client ID and Sentinel client secret. For more information about authentication methods, see Authentication Methods in the Sentinel Administration Guide.

      To retrieve the Sentinel client ID and Sentinel client secret, go to the following URL:

      https://Hostname:port/SentinelAuthServices/oauth/clients

      Where:

      • Hostname is the host name of the Sentinel server.

      • Port is the port Sentinel uses (typically 8443).

      The specified URL uses your current Sentinel session to retrieve the Sentinel client ID and Sentinel client secret.

  6. Restart the Sentinel server.

  7. Complete the FIPS 140-2 mode configuration by following the tasks mentioned in Section 23.0, Operating Sentinel in FIPS 140-2 Mode.