Administer > FIPS Configuration > Configure CSA > Configure CSA Properties

Configure CSA Properties

To configure CSA properties for FIPS 140-2 compliance:

  1. Open a command prompt and change to the %CSA_HOME%\jboss-as\standalone\deployments\csa.war\WEB-INF\classes directory. For example:

    C:\Program Files\HPE\CSA\jboss-as\standalone\deployments\csa.war\
    WEB-INF\classes

  2. Open the csa.properties file in an editor.

    1. Verify that the enableHPSSO property is either set to false or is commented out.

    2. Set the com.hp.csa.service.ssl.certificate.validation property to true.

    3. Comment out the following properties for the global search feature (this feature is not supported when configuring CSA for FIPS 140-2 compliance):

      • csa.provider.es.authPassword
      • csaKeystore
      • csaKeystorePassword

    4. Configure the following properties:

      Property Description
      useExternalProvider

      Required. For FIPS 140-2 compliance, uncomment and set this property to true.

      When enabled, CSA uses the RSA BSAFE libraries to encrypt and decrypt passwords. If a password was encrypted using different libraries (for example, if the password was encrypted before this property is enabled), the resulting decrypted password will not be valid.

      If you cannot connect to the database after you have configured CSA for FIPS 140-2 compliance, try re-encrypting the database password in the database properties file.

      Default: commented out/disabled
      securityProviderName

      Required. The name of the FIPS 140-2 compliant provider. By default, CSA uses the RSA BSAFE provider and this property should be set to JsafeJCE.
      keySize

      Optional. The key size used for CSA encryption. By default, the key size is 128. If you manually enter a different key size when encrypting a password, uncomment this property and configure the value to the key size used to encrypt the passwords.

      Note All passwords must be encrypted using the same key size.

      By default, the password encryption utility encrypts all passwords using a key size of 128 (even if you do not specify a key size when running the utility).
      keystore

      Required. The absolute path to and file name of the CSA encryption keystore. This is the keystore that supports PKCS #12 and stores the key used by CSA to encrypt and decrypt data in CSA.

      Example (this example uses the same example name from Create a CSA Encryption Keystore):

      %CSA_HOME%/jboss-as/standalone/configuration/csa_encryption_keystore.p12

      Note Use only forward slashes (/) as your path separators.
      keyAlias

      Required. The alias used to identify the CSA encryption key in the CSA encryption keystore.

      Example (this example uses the same example name from Create a CSA Encryption Keystore):

      csa_encryption_key
      keystorePasswordFile

      Required. The absolute path to and file name of the CSA encryption keystore password. This is a temporary file that stores the CSA encryption keystore password in clear text. This file is required to start the CSA service and is automatically deleted when the service is started.

      The password file must contain only the following content: keystorePassword=<CSA encryption keystore password>

      where <CSA encryption keystore password> is the CSA encryption keystore password in clear text.

      Note Use only forward slashes (/) as your path separators.
      encryptedKeyFile

      Required. The location of the CSA encrypted symmetric key.

      Example (this example uses the same example name from Create a CSA Encryption Keystore):

      %CSA_HOME%/jboss-as/standalone/configuration/key.dat

      Note Use only forward slashes (/) as your path separators.
      csaTruststore

      Required. The CSA keystore that stores trusted Certificate Authority certificates. This is the server you created in Step 1: Create a CSA server keystore that Supports PKCS #12.

      Note This property is located in another section of the csa.properties file.

      Example (this example uses the same example name of the CSA server truststore from Create a CSA Encryption Keystore):

      %CSA_HOME%/jboss-as/standalone/configuration/csa_server_truststore.p12

      Note Use only forward slashes (/) as your path separators.
      csaTruststorePassword

      Required. The encrypted password of the CSA keystore (see Encrypt a Marketplace Portal Password for instructions on encrypting passwords). An encrypted password is preceded by ENC without any separating spaces and is enclosed in parentheses.

      Default: No default specified

      Example

      ENC(9eC7TTnB0uGOGK5U648UITcEV5AuV5T)

      Note This property is located in another section of the csa.properties file.

      This is the <CSA server truststore password> from Create a CSA Encryption Keystore.

  3. Copy the property values from step 2b to the %CSA_HOME%\jboss-as\standalone\deployments\idm-service.war\WEB-INF\classes\idm-security.properties file. The property values must be the same in both files.

  4. When configuring a command line tool, copy the property values from step 2b to its configuration file. Add ;ssl=authenticate at the end of the database connection string if it is missing.

  5. When executing a tool, you must add these system properties: ‑Dcom.sun.net.ssl.enableECC=false and ‑Djsse.enableCBCProtection=false

    For example: "java ‑Dcom.sun.net.ssl.enableECC=false ‑Djsse.enableCBCProtection=false ‑jar provider-tool.jar <tool parameters>"

    Note Each time the tool is executed, the password file must be created for that execution. The content (format and password) must be the same that was used for the CSA startup.

    Note Remote console access does not support FIPS and hence it should be disabled when CSA is running on FIPS Mode.
    To disable the remote console access, see the section "Install and Configure Remote Console Service" in Cloud Service Automation Installation Guide.

     

Send Help Center feedback