Configuring the server components for FIPS 140–2 mode
If the server components are configured with the required FIPS 140–2 settings, all connecting clients must connect with plain text passwords in order to meet the requirements for FIPS 140–2 mode. If a client uses property value encryption, the relevant encryption algorithm for FIPS 140–2 mode must also be used.
When you run server components that are configured for FIPS 140–2, they verify the existence of the fips.conf file and then verify that their relevant properties are set to the values required for FIPS 140–2 mode. Error messages are logged to the server log files if any properties are found to have non-FIPS 140–2 settings. In debug logging mode, confirmation for FIPS 140–2 mode is also logged.
- Proxy servers and probes store authentication passwords by using the AuthPassword property in the proxy server and probe properties files.
- Unidirectional ObjectServer gateways store authentication passwords by using the Gate.Writer.Password and Gate.Reader.Password properties in the properties file.
- Bidirectional ObjectServer gateways store authentication passwords by using the Gate.ObjectServerA.Password and Gate.ObjectServerB.Password properties in the properties file.
- The process agent configuration file can also store passwords for secure connections.
In FIPS 140–2 mode, you can either specify plain text passwords within these files, or specify passwords that are encrypted by running the $NCHOME/omnibus/bin/nco_aes_crypt utility with a key file and specific cryptographic algorithm. If you are using encrypted passwords, you must also set properties that define the key file and algorithm within the proxy server, probe, and gateway properties files; these values are required for decrypting the passwords at run time, so that they can be sent to the server as plain text. In the case of the process agent, which does not make use of properties, you must specify command-line options for decrypting the passwords in the configuration file when you run $NCHOME/omnibus/bin/nco_pad.
ObjectServer configuration for FIPS 140–2
- Set the PasswordEncryption property of the ObjectServer to the AES setting.
- If you want to run the ObjectServer in secure mode, and want to encrypt passwords within the proxy server, probe, or gateway properties files, encrypt the passwords by running the nco_aes_crypt utility and use the -c command-line option to specify AES_FIPS as the encryption algorithm.
Process agent configuration for FIPS 140–2
To run a process agent in FIPS 140–2 mode, the following configuration is required:
- On UNIX, only Pluggable
Authentication Modules (PAM) are supported for external authentication
in FIPS 140–2 mode. When running the process agent with the nco_pad command,
set the -authenticate command-line option to the PAM setting
if you want to verify the credentials of a user or a remote process
agent daemon.
On Windows, process agent connections are authenticated against the Windows user accounts, and no additional configuration is required for FIPS 140–2 mode.
- If you want to run process control utilities (such as $NCHOME/omnibus/bin/nco_pa_status) with the -user and -password command-line options (login credentials), specify the passwords in plain text.
- If you want to run the process agent in secure mode, you are typically
required to specify the following login credentials within the routing
definition section of the process agent configuration file ($NCHOME/omnibus/etc/nco_pa.conf):
- User name and password credentials for each host that connects to the process agent
- User name and password credentials for logging into a remote process agent (if required)
If you want to encrypt the passwords in the configuration file, run the nco_aes_crypt utility and use the -c command-line option to specify AES_FIPS as the encryption algorithm.
Proxy server configuration for FIPS 140–2
To run a proxy server in FIPS 140–2 mode, the following configuration is required:
- If you want to run the proxy server in secure mode, and want to encrypt passwords within the probe properties files, encrypt the passwords by running the nco_aes_crypt utility and use the -c command-line option to specify AES_FIPS as the encryption algorithm.
- Additionally, if the proxy server is connecting to an ObjectServer that is running in secure mode, and you want to encrypt the password within the proxy server properties file, encrypt the password by running the nco_aes_crypt utility and use the -c command-line option to specify AES_FIPS as the encryption algorithm.
Gateway configuration for FIPS 140–2
To run gateways in FIPS 140–2 mode, the following configuration is required:
- On UNIX, only Pluggable Authentication Modules (PAM) are supported for external authentication in FIPS 140–2 mode. When running a gateway, set the Gate.UsePamAuth property of the gateway to TRUE to use PAM authentication.
- If a gateway is connecting to an ObjectServer that is running in secure mode, and you want to encrypt the password within the gateway properties file, encrypt the password by running the nco_aes_crypt utility and use the -c command-line option to specify AES_FIPS as the encryption algorithm.
A note about the encryption algorithm options
When in FIPS 140–2 mode, you must use the AES_FIPS algorithm when encrypting passwords with the nco_aes_crypt utility. You can specify the algorithm as either AES_FIPS, or use its synonym AES_CBC, which yields the same result. For simplicity, only AES_FIPS is specified in the documentation.
When in non-FIPS 140–2 mode, you can specify an additional algorithm, AES or AES_CFB1. These are synonyms and yield the same result; for simplicity, only AES and AES_FIPS are specified in the documentation. The AES option is primarily for compatibility with the AES property encryption that is available in Tivoli Netcool/OMNIbus V7.2, and use of the AES_FIPS algorithm is preferred.