FIPS Support
The
Integrity Lifecycle Manager server's SSL implementation can be configured to conform to the FIPS 140-2 standard.
Integrity Lifecycle Manager provides new Mozilla Network Security Services (NSS) tools version 3.17.3 to enhance secure communications with the
Integrity Lifecycle Manager server, and to provide support for TLS 1.0 and TLS 1.1. The NSS tools can be configured to operate in a manner compliant with FIPS 140-2. For more information on NSS tools, consult the documentation available on the Mozilla NSS Web site (
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS).
|
A FIPS configuration cannot support an Integrity Lifecycle Manager server path location that includes spaces.
|
The FIPS 140-2 configuration is supported only for the following connections:
• Integrity Lifecycle Manager client -Integrity Lifecycle Manager server
• Integrity Lifecycle Manager server-Integrity Lifecycle Manager server
• Web browser-Integrity Lifecycle Manager server
• Integrity Lifecycle Manager Agent-Integrity Lifecycle Manager server
• Integrity Lifecycle Manager API (Java or C)-Integrity Lifecycle Manager server
If you have not already created a server certificate, follow the instructions provided in the Integrity Lifecycle Manager documentation to create your certificate, have it signed, and import it into the Integrity Lifecycle Manager server PKCS12 keystore:
<Integrity Server installdir>/data/tls/certificate.p12
For more information on creating a server certificate, see
“Creating Signed Server Certificates”.
The following steps involve using some of the Mozilla NSS tools available from the Mozilla web site noted above.
|
On Solaris/Linux, you must set the LD_LIBRARY_PATH environment variable to include the NSS libraries to run the executables.
|
The following configuration instructions illustrate the command syntax using the LD_LIBRARY_PATH environment variable for Solaris/Linux. All of the following commands assume that the current working directory is the root of the Integrity Lifecycle Manager server installation.
1. For Solaris/Linux only, run the following command:
% export LD_LIBRARY_PATH = ${LD_LIBARY_PATH}:${PWD}/server/mks/bin
2. Create an NSS-compatible keystore to hold the server certificate.
% bin/modutil -create -dbdir data/tls
|
When running this command, a warning message indicates that performing the operation while a browser is running could cause corruption of your security databases. It is safe to ignore this message.
|
The following files are created in the data/tls directory: cert8.db, key3.db, and secmod.db.
3. Import the server certificate from the PKCS12 keystore into the NSS-compatible keystore by running one of the following commands:
|
You should import the certificate from the PKCS12 keystore before enabling FIPS compliance. Reversing the sequence of operations causes an error that prevents the certificate from being imported.
|
% bin/pk12util -i data/tls/certificate.p12 -w
<fileContainingCertificateP12Password> -d data/tls
or
% bin/pk12util -i data/tls/certificate.p12 -W
<certificateP12Password> -d data/tls
4. Follow the next series of prompts to enter the required passwords. The first two prompts ask for a new password to be used to protect the certificate in the NSS-compatible keystore. The third prompt asks for the existing password that protects the certificate in the PKCS12 keystore. You can use the same password for both keystores.
|
The password you provide will be used to encrypt your keys. The password should be at least 8 characters long and contain at least one non-alphabetic character.
|
5. Enter new password.
6. Re-enter the password.
The certificate import is completed.
7. Run the following command to configure NSS to FIPS 140-2 compliance mode:
% bin/modutil -fips true -dbdir data/tls
|
When running this command, a warning message indicates that performing the operation while a browser is running could cause corruption of your security databases. It is safe to ignore this message.
|
8. Configure the Integrity Lifecycle Manager server to use the Mozilla NSS provider for SSL by adding the following property to the <Integrity Server installdir> /config/properties/is.properties:
mksis.secure.provider=nss
9. Restart the Integrity Lifecycle Manager server to have the changes take effect.