Switching your installation to FIPS 140-2 mode
If you want to change your V7.4 installation to operate in FIPS 140-2 mode, you must follow the steps outlined in the FIPS 140-2 configuration checklist.
If the user passwords in your system are currently encrypted by using the DES algorithm, or if you are using property value encryption to encrypt string values in properties files, the configuration steps for FIPS 140-2 are described here.
Changing the encryption scheme for DES-encrypted user passwords
When in FIPS 140–2 mode, the Advanced Encryption Standard (AES) algorithm must be used to encrypt user passwords that are stored in the ObjectServer. If your existing installation uses DES encryption for passwords, you must change the encryption scheme to AES.
To establish whether your passwords are DES encrypted, check the value of the ObjectServer PasswordEncryption property to see whether it is set to DES or to AES.
- Change the setting of the ObjectServer PasswordEncryption property to AES.
- Ensure that all user passwords are changed or reset. The passwords are now AES encrypted. (See the information that follows for guidelines about how to change or reset passwords.)
- Configure Tivoli Netcool/OMNIbus to operate in FIPS 140–2 mode.
- Restart the ObjectServer.
Guidelines for changing or resetting passwords
You can use the SQL interactive interface (nco_sql) for changing or resetting passwords.
- Start the SQL interactive interface and then enter the following
command:
select UserName,Passwd from security.users;
Check the length of the encrypted passwords returned. Passwords that are still DES encrypted have 11 characters, whereas AES-encrypted passwords have 24 characters.
- From Netcool/OMNIbus Administrator:
- Connect to the relevant ObjectServer. Then click the System menu button and click Databases to open the Databases, Tables and Columns pane.
- Select the security database and the users table,
and then click the Data View tab in the Databases,
Tables and Columns pane to view user data.
In the Passwd column, passwords that are still DES encrypted have 11 characters, whereas AES-encrypted passwords have 24 characters.
A system administrator can reset user passwords from the SQL interactive interface as follows:
alter user 'username' set password 'password';
Where username is the name of the user and password is their new password.
Changing property value encryption
When in FIPS 140–2 mode, property value encryption must be performed by using an algorithm and mode of operation defined as AES_FIPS. Property value encryption is used to encrypt string values in a properties file or configuration file so that the strings cannot be read without a key.
If your existing installation uses property value encryption with the AES algorithm, or uses the nco_g_crypt and nco_pa_crypt utilities to encrypt passwords, these encrypted values do not meet the requirements for FIPS 140–2 operation. To run your system in FIPS 140–2 mode, you must decrypt these values and then encrypt them again by using the AES_FIPS algorithm. You must perform this task for each ObjectServer, proxy server, process agent, probe, and gateway that uses encrypted property values, including passwords.
- In your existing installation,
identify any keys that were generated by using the command-line key
generator nco_keygen.Tip: The nco_keygen utility stores keys within key files. You should be able to identify any key files used by checking the ConfigKeyFile property settings in your properties files.
- Using the keys in your existing installation, decrypt all encrypted properties and passwords in your properties and configuration files by running the nco_aes_crypt utility with the -d command-line option.
- Configure Tivoli Netcool/OMNIbus to operate in FIPS 140–2 mode.
- Encrypt the values again by using the nco_keygen utility to generate one or more new keys, and then running the nco_aes_crypt utility with the relevant key file setting.