Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Words and Phrases
| Search for | Example | Results |
|---|---|---|
| A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
|
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Using Boolean Operators
| Search for | Operator | Example |
|---|---|---|
|
Two or more words in the same topic |
|
|
| Either word in a topic |
|
|
| Topics that do not contain a specific word or phrase |
|
|
| Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
| A combination of search types | ( ) parentheses |
|
FIPS 140-2 compliance
This chapter explains how to configure HP Codar to be compliant with Federal Information Processing Standards (FIPS) 140-2.
Caution Do NOT configure any other feature of HP Codar and do not use any of the HP Codar tools before configuring HP Codar to be compliant with FIPS 140-2. If you have configured any feature or used one of the tools, you must re-install HP Codar before you can configure HP Codar to be compliant with FIPS 140-2.
Note HP Codar that is compliant with FIPS 140-2 supports the Microsoft SQL database and Oracle JRE only. For more information about application and version requirements, see the Codar System and Software Support Matrix.
FIPS 140-2 is a standard for security requirements for cryptographic modules defined by the National Institute of Standards and Technology (NIST). To view the publication for this standard, go to:
csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
After you have configured HP Codar for FIPS 140-2 compliance, HP Codar uses or complies with the following:
- RSA BSAFE Crypto software
- Keystore and truststore: PKCS #12
- Asymmetric algorithm: RSA
- Symmetric-key algorithm: AES
- Random number generation algorithm: HMAC DRBG (128-bit)
- Hashing algorithm: SHA-256
Prerequisites
Before configuring HP Codar to be compliant with FIPS 140-2, do the following:
- Verify that you are configuring a new or fresh installation of HP Codar version 1.80 to be compliant with FIPS 140-2. You cannot configure an upgraded installation of HP Codar version 1.80 or an installation of HP Codar version 1.80 that is in use.
- Back up the following directories:
CSA_HOME\jboss-as\standalone\deployments\csa.war\CSA_HOME/jboss-as/standalone/deployments/csa.war/CSA_HOME\jboss-as\standalone\deployments\idm-service.war\CSA_HOME/jboss-as/standalone/deployments/idm-service.war/CSA_HOME\jboss-as\standalone\configuration\CSA_HOME/jboss-as/standalone/configuration/CSA_HOME\portal\conf\CSA_HOME/portal/conf/CSA_HOME\node.js\CSA_HOME/node.js/CSA_JRE_HOME\lib\securityCSA_JRE_HOME/lib/security
(wherecertificate_key_fileis the same keystore file defined by the certificate-key-file attribute in the ssl element of theCSA_HOME\jboss-as\standalone\file (for example,
configuration\standalone.xmlCSA_HOME\jboss-as\).
standalone\configuration\.keystorecertificate_key_file_passwordis the password to the keystore file.
)certificate_key_file_typeis the keystore type (for example, JKS or PKCS12).
-
Download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from the following site:
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
See the
Readme.txtfile from the downloaded content for information on how to deploy the files and upgrade the JRE used by HP Codar. -
Download and install the Microsoft Visual C++ 2010 Redistributable Package (x86) from the following site:
http://www.microsoft.com/en-us/download/details.aspx?id=5555
-
Install the RSA BSAFE Crypto software files. On the system on which HP Codar is installed, unzip
\rsa\CSAFIPS.zip/rsa/CSAFIPS.ziptoCSA_JRE_HOME\lib\ext\CSA_JRE_HOME/lib/ext/(wherecertificate_key_fileis the same keystore file defined by the certificate-key-file attribute in the ssl element of theCSA_HOME\jboss-as\standalone\file (for example,
configuration\standalone.xmlCSA_HOME\jboss-as\).
standalone\configuration\.keystorecertificate_key_file_passwordis the password to the keystore file.
).certificate_key_file_typeis the keystore type (for example, JKS or PKCS12). -
Install the recompiled version NodeJS needed for FIPS compliance. On the system on which HP Codar is installed, unzip
\fips\nodejs-fips-windows.zipfile to theCSA_HOME\node.js\CSA_HOME/node.js/bin/directory. -
Contact your HP representative to obtain the hotfix for QCCR1D187886. This hotfix contains the recompiled versions of OpenSSL and NodeJS needed for FIPS compliance.
Extract the following files from the hotfix
\fips\nodejs-fips-windows.zipfile to theCSA_HOME\node.js\CSA_HOME/node.js/bin/directory:node.exenode.batlibeay32.dllssleay32.dll
Note Once you have configured HP Codar to be compliant with FIPS 140-2, you cannot revert back to the standard configuration unless you uninstall and re-install HP Codar.
Examples used in this section
The following table is a quick reference to the items and values used in the FIPS 140-2 examples. Also included are the names used in this document to reference the items. If you choose to use different values for these items, you must substitute the different value in all of the FIPS 140-2 examples in this document.
| Item | Referenced as | Description | Value Used in Examples |
|---|---|---|---|
| Directory where HP Codar is installed | CSA_HOME
|
The directory in which the HP Codar product is installed. |
|
| Directory where the JRE used by HP Codar is installed | CSA_JRE_HOME | The directory in which the JRE used by the
HP Codar product
is installed. For example, C:\Program Files\./usr/local/bin/CSAjre/jre. |
CSA_JRE_HOME |
| Keystore for encryption | HP Codar encryption keystore | The keystore that stores the keypair that is used to encrypt and decrypt HP Codar's symmetric key (also known as the secret key). HP Codar's symmetric key is used to encrypt and decrypt HP Codar's data. |
|
| Keystore alias for encryption | HP Codar encryption keystore alias | The alias is a name assigned to identify a keypair in the HP Codar encryption keystore. This keypair is used by HP Codar to encrypt and decrypt HP Codar's symmetric key. | csa_encryption_key |
| Key for encryption | HP Codar encryption keystore file or encrypted symmetric key | This is the file containing HP Codar's encrypted symmetric key and used by HP Codar to encrypt and decrypt data in HP Codar. |
|
| Keystore password for encryption | HP Codar encryption keystore password | This is the password used to access the HP Codar encryption keystore. | <HP Codar encryption keystore password> |
| Keystore for secure communication | Codar server keystore | This is a file that stores the keypair used for secure communication and is the identity of the HP Codar server. |
|
| Keystore alias for secure communication | Codar server keystore alias |
The alias is a name assigned to identify the
HP Codar TLS keypair.
When used with keytool's -export option, the alias is the name used by the
Codar server keystore
to identify the certificate. |
csa_fips |
| Keystore password for secure communication | Codar server keystore password | This is the password used to access the Codar server keystore. | <Codar server keystore password> |
| Certificate for HP Codar | HP Codar's certificate | This is the certificate for HP Codar that must be imported into an application's truststore if HP Codar communicates with this application using TLS. |
|
| Truststore for secure communication | Codar server truststore | This is the truststore that holds all certificates for trusted applications that communicate with HP Codar using TLS. |
|
| Truststore alias for secure communication | Codar server truststore alias | When used with keytool's -import option, the alias is a name assigned to identify the
certificate imported into the
HP Codar truststore.
Typically the truststore alias is identical to the keystore alias used to generate the certificate. |
csa_fips (alias for HP Codar's certificate) pas (alias for the root certificate of Operations Orchestration's Certificate Authority) |
| Truststore password for secure communication | Codar server truststore password | This is the password used to access the Codar server truststore. | <Codar server truststore password> |
Configuration overview
Complete the following steps to configure HP Codar to be compliant with FIPS 140-2:
- Stop HP Codar
- Update applicationContext.xml to be FIPS 140-2 compliant
- Configure properties in Java security file
- Create HP Codar encryption keystore
- Create new keystore and truststore for secure communication
- Encrypt HP Codar passwords again
- Configure HP Codar properties
- Configure Identity Management component
- Start HP Codar
- Test secure connections
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to clouddocs@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: