Administer > FIPS Configuration > Configure CSA > Configure the Marketplace Portal for FIPS 140-2 Compliance

Configure the Marketplace Portal

This section describes how to encrypt passwords for the Marketplace Portal.

Password Encryption

The Marketplace Portal implements password encryption via PBES2 using the NodeJS crypto library. The key is hard coded in the JavaScript (JS), but it is not directly used. Instead, the key is used to decrypt a randomly-generated key that is encrypted and saved in a keyfile, which will be protected by the file system.

Note Make sure the file system in which the Marketplace Portal exists is protected by the operating system, so that no one without permission can read or edit files or folders.

Encrypt a Password

The Marketplace Portal provides a password utility (passwordUtil.js), which you use to encrypt a password and generate a keyfile.

Note It is recommended that you use the password utility in case the keyfile is deleted or lost, or the passwords need to be re-encrypted (keyfile has changed or the password has changed).

Following is the password utility syntax for Linux:

./passwordUtil --help
./passwordUtil --password <password to encrypt>

Example:

bin> ./passwordUtil.js
Please enter password to encrypt -password hidden-
Encrypted password is TPhdYjB72z+v+pHdscGSkQ==

Following is the password utility syntax for Windows:

cd %CSA_HOME%\portal\bin
..\..\node.js\node passwordUtil.js --help
..\..\node.js\node passwordUtil.js --password <password to encrypt>

Example:

..\..\node.js\node passwordUtil.js
Please enter password to encrypt -password hidden-
Encrypted password is ENC(TPhdYjB72z+v+pHdscGSkQ==)

Note If the keyfile needs to be regenerated, delete the existing keyfile, as defined in the mpp.json file (see next section for the exact location) and run the password utility script (it will generate a keyfile if it does not exist).

Configure Settings for Keyfile, Session ID Cookie Secret, IdM Transport User Password, and SSL Keyfile or Truststore Passphrase

  1. Edit the %CSA_HOME%/portal/conf/mpp.json file:

    {
       "uid": "ccue_mpp",
       "port": 8089,
       "defaultOrganizationName": "CONSUMER",
       "defaultHelpLocale": "en_US",
       "defaultHelpPage": "MarketplacePortal_HELP_CSA.htm",
        "keyfile": "../conf/keyfile",
       "rejectUnauthorized": false,
       "session": {
          "cookieSecret": "ENC(udA/d1FqxrK26qQlu5cO2w==)",
          "timeoutDuration": 1800,
          "cleanupInterval": 3600
       },
       "cart": {
          "thresholdQuantity": 20,
          "maximumQuantity": 100
       },
       "consumption": {
          "enableCatalogAdministration": true,
          "enableOfferingAdministration": true
       },
       "provider": {
          "url": "https://<csahostname>:8444",
          "contextPath": "/csa/api/mpp",
          "strictSSL": true,
          "TLSVersions": "1.2",
          "ca": "C:/csa_fips.crt"
       },
       "idmProvider": {
          "url": "https://<localhost>:8444",
          "returnUrl": "https://<localhost>:8089",
          "contextPath": "/idm-service",
           "username": "idmTransportUser",
          "password": "ENC(Op4ZJjnG4F8b/jalqUA6WVzgBCGarmazThflGYeX8wY=)",
          "strictSSL": true,
          "TLSVersions": "1.2",
          "ca": "C:/csa_fips.crt"
       },
       "https": {
          "enabled": true,
          "options": {
             "passphrase": "ENC(21P/dn5zzdEAvGjEP3Su7A==)",
             "key" : "%CSA_HOME%/portal/conf/.mpp_privateKey.pem",
             "cert" : "%CSA_HOME%/portal/conf/.mpp_publicKey.pem",
             "TLSVersions": "1.2",
             "ciphers" : "TLS_RSA_WITH_3DES_EDE_CBC_SHA:HIGH:!MD5:!aNULL:!EDH",
             "honorCipherOrder" : true
          }
       },
       "ha": {
          "enabled": false,
          "numWorkers": 2,
          "redis": {
             "options": {
               "host": "<localhost>",
               "port": 6379
             }
          }
       },
       "logging": {
          "console": {
             "enabled": false,
             "level": "error"
       },
       "file": {
          "enabled": true,
          "level": "error",
          "maxSizeMB": 10,
          "maxFile": 10
       },
       "cef": {
          "enabled": false,
          "address": "<localhost>",
          "port": 9876,
          "level": "warn"
          }
       },
       "proxy": {
          "enabled": false,
          "port": 8090,
          "contextPath": "/mpp"
       }
    }
  2. Set the following parameters:

    • keyfile is the location of the key file generated by the Marketplace Portal password utility (passwordUtil.js). When the keyfile file is not placed in the default location or with a different name, use the --keyfile parameter for passwordUtil.js and change the path in the keyfile parameter in the configuration.
    • session.cookieSecret is the secret passphrase to encrypt the session ID cookie on the browser. This is an encryptable field, so make sure you enclose it with enc().
    • idmProvider.password is the transport user used to connect to Identity Management (IdM). This is an encryptable field, so make sure you enclose it with enc(). The default password for idmProvider.password is idmTransportUser.
    • https.options.passphrase is the passphrase of the SSL keyfile or truststore. This is an encryptable field, so make sure you enclose it with enc(). The default password for https.options.passphrase is changeit.
  3. Set the correct location to the CSA web public certificate (in the CSA configuration file named csa_fips.crt) for the following:

    • provider.ca

    • idmProvider.ca

Note Do not copy the encrypted password from this example, because the encryption key and salt are generated and stored in the keyfile. However, you can reuse the keyfile for multiple systems, and the encrypted password in the mpp.json file will be the same.

Configure TLS

The Marketplace Portal uses the NodeJS HTTPS module to enable TLS. OpenSSL is used to perform the encryption and decryption.

FIPS 140-2 supports only TLS. You must configure the Marketplace Portal to use a FIPS-compliant cipher .

To configure the Marketplace Portal to use a FIPS-compliant cipher, do the following:

  1. Edit the %CSA_HOME%\portal\conf\mpp.json file:

    "https": {
      "enabled": true,
      "options": {
        "passphrase": "ENC(pEYj2aVNBVUyH85PDnVjZg==))"
        "key": "../conf/.mpp_privateKey.pem",
        "cert": "../conf/.mpp_publicKey.pem",
        "TLSVersions": "1.2",
        "ciphers": "TLS_RSA_WITH_3DES_EDE_CBC_SHA:HIGH:!MD5:!aNULL:!EDH",
        "honorCipherOrder": true
      }
    },

  2. The key and cert files should be generated from the pfx file (../conf/.mpp_keystore).
  3. Set the secureProtocol parameter to TLSv1.2_method.

  4. Set the ciphers parameter to TLS_RSA_WITH_3DES_EDE_CBC_SHA:HIGH:!MD5:!aNULL:!EDH.

  5. Set the honorCipherOrder parameter to true.

To generate pem files from the .mpp_keystore you can use these commands:

  1. Generate a private key:

    openssl pkcs12 -in .mpp_keystore -out .mpp_privateKey.pem -nocerts

  2. Generate a public certificate:

    openssl pkcs12 -in .mpp_keystore -out .mpp_publicKey.pem -nokeys

  3. You will be asked for the password to open the .mpp_keystore (default is changeit).

  4. You will be asked to set the password to secure the private key.

    Note If you use a different password than the default password, encrypt this password with passwordUtil and replace the value of the https.options.passphrase with this one.