Install > Configure OMi FIPS Compliancy > Configure OMi for FIPS 140-2 Compliance

Configure OMi for FIPS 140-2 Compliance

This section includes:

Install and Configure OMi

You can install and configure OMi in a distributed environment in any of the following ways:

  • Parallel installation, serial configuration. You can run the OMi installation on all servers in parallel. The configuration wizard, however, must be run on the data processing server first. After you configure OMi on the first data processing server, continue by configuring it on the other data processing servers, and then on the gateway servers.

  • Serial installation and configuration. You can run the OMi installation and configuration on each server successively. In this case, install and configure OMi on the data processing server first. After you install and configure OMi on the first data processing server, continue by installing and configuring OMi on the other data processing servers, and then on the gateway servers. The wizard will direct you as to when to begin the installation on the gateway server.

Caution: When the OMi post-installation wizard offers you the option to start the configuration wizard automatically, click Quit. To configure OMi in FIPS mode, you must start the configuration wizard manually. For details, see Configure OMi in FIPS Mode.

When installing OMi, make sure you are following the instructions in the Install section.

Configure OMi in FIPS Mode

To configure OMi in FIPS mode, follow these steps:

  1. Start the configuration wizard manually:

    • Windows: <OMi_HOME>\bin\config-server-wizard.bat ‑FIPS
    • Linux: /opt/HP/BSM/bin/config-server-wizard.sh ‑FIPS
  2. In the FIPS Configuration dialog box, click Yes to confirm that you want to configure OMi to run in FIPS mode.

    Caution FIPS mode cannot be reverted. After OMi is configured to run in FIPS mode, it cannot be reconfigured to run in standard, non-FIPS mode. To run OMi in non-FIPS mode, you must reinstall the application and configure it as described in the Install section.

  3. In the Configuration Options page, click Custom configuration, and then click Next.

    Tip To configure OMi in silent mode based on a configuration file, click Create configuration file for silent configuration and continue with the wizard. After the configuration wizard completes, OMi generates the configuration file at the location you specified. The file contains the values that you selected in the configuration wizard. To start the silent configuration, type:

    • Windows: <OMi_HOME>\bin\silentConfigureBSM.bat <ConfigurationFile>.xml -FIPS
    • Linux: /opt/HP/BSM/bin/silentConfigureBSM.sh <ConfigurationFile>.xml -FIPS
  4. In the Database Settings page, select the database you want to use with OMi. You can choose to connect to an already existing, preconfigured database or user schema (this applies to the database that is originally created with a system in FIPS mode), or let the configuration wizard create a new database or user schema.

    Click Next to continue.

  5. In the TLS Setup page, Enable HTTPS is selected by default to configure OMi to accept only secure connections to its web server and JMX console.

    If your company uses a Certificate Authority (CA) that can generate certificates for OMi, click the Upload certificates option. Alternatively, click OMi-generated certificates if you want OMi to generate the certificates required for the configuration.

    Click Next to continue.

  6. In the Certificate Upload page, specify the certificates you received from the CA used by your company.

    Caution The minimum key length for certificates is 2048 bits.

    If you let OMi generate the required certificates, you can optionally customize the key options and contents of the certificates generated by the OMi CA. You can define certificate settings for the OMi root CA and for the OMi server for which the certificate is issued.

    Click Next to continue.

  7. Optional. In the Client Certificate Authentication page, configure OMi to require a client certificate when users log in to OMi or when web services connect to OMi.

    Depending on the deployment, you can configure OMi to authenticate the client on the OMi web server or, if available, the load balancer.

    Caution Do not enable client certificate authentication if you are configuring OMi for the first time. Before enabling client certificate authentication, OMi must be already configured and a superadmin user must exist. For more information, see the Administer section.

    Click Next to continue.

  8. In the Connection Settings page, Apache HTTP Server is selected by default.

    OMi automatically configures the embedded Apache web server for FIPS. In FIPS mode, Apache requires TLS 1.2 or later.

    Note If you have a load balancer in the environment, enter the FQDN and port of the load balancer in the URL field.

    Click Next to continue.

  9. In the License page, configure the license that OMi uses, and then click Next.

  10. In the Login Settings page, set the passwords of the OMi users.

    OMi supports central user management and corporate password policies, it can communicate with the directory services by using LDAP. HPE recommends such configuration to enforce compliance of OMi user passwords with the respective security policy in your company. To configure the LDAP integration, navigate to Administration > Users > Authentication Management in the OMi user interface.

    LDAP authentication of all users is possible only when the mixed mode authentication is disabled in the OMi LDAP infrastructure settings. For instructions on how to adjust this setting, see the Administer section.

    Click Next to continue.

  11. In the Server Deployment page, you can define the size of your OMi deployment.

    Click Next to continue.

  12. In the Management Packs page, select the management packs to install in your OMi deployment. Dependencies between management packs are resolved automatically.

    Click Next to continue.

  13. In the Confirmation page, verify your selections, and then click Next to start the configuration in FIPS mode.

  14. After OMi is successfully configured, a summary of the configuration changes appears. Click Finish to conclude the configuration.

Start OMi

Start the OMi server processes as follows:

Note Distributed environments only. Before starting OMi server processes on the data processing server, make sure that OMi is installed and configured on at least one gateway server.

  • Windows 2008: Select Start > Programs > HPE Operations Manager i > Administration > Enable Operations Manager i.

  • Windows 2012: Press Ctrl + Esc and start typing Enable HPE Operations Manager i. Then click Enable Operations Manager i in the search results.

  • Linux: /opt/HP/BSM/scripts/run_hpbsm start

Log in to OMi

To log in to OMi, follow these steps:

  1. Make sure the computer and browser that you want to use to access OMi meet the requirements listed in Client Requirements.

  2. In the browser, enter the following URL:

    https://<server_name>.<domain_name>/omi

    In this instance, <server_name> and <domain_name> represent the Fully Qualified Domain Name (FQDN) of the OMi server (for example, https://server.example.com/omi). If there are multiple servers, or if OMi is deployed in a distributed architecture, specify the load balancer or gateway server URL, as required.

For more information on logging in to OMi, see the Log into OMi.