Install > Configure OMi FIPS Compliancy > Requirements

Requirements

This section includes:

Server Requirements

In addition to the hardware and software requirements listed in the Install section, make sure the systems on which you plan to run OMi in FIPS mode meet the following requirements:

  • OMi 10.11 or later is installed.

  • FIPS mode is enabled in the operating system of the OMi server. Configure the operating system according to the FIPS documentation of your OS: RedHat Linux 6, RedHat Linux 7, Windows

For up-to-date information about supported components and versions, see Support Matrices for Operations Center products.

Database Requirements

When configuring OMi in FIPS mode, you must use either the Microsoft SQL Server or Oracle database.

Certificate Requirements

In FIPS mode, certificates must have a key length of at least 2048 bits.

When using HTTPS communication between OMi and the database, the database certificate cannot be imported automatically by the configuration wizard. You must import the certificate manually.

The BBCTrustServer command-line interface and the Connect and Import from Server button in the Outgoing Connection section of a connected server do not work when OMi runs in FIPS mode. The certificate must be exported on the integrating server and manually imported to the OMi server. For details, see Special configurations.

Client Requirements

In addition to the client requirements listed in the Install section, make sure you do the following:

Configure the Browser for FIPS Mode

Configure the browser that you want to use to access OMi running in FIPS mode as follows:

Internet Explorer users must enable the use of TLS 1.2 or later (Internet Options > Advanced > Security).

Configure the JRE for FIPS Mode

To be able to access OMi UIs that use Java applets or to access the Java UI of the RTSM, you must place the required libraries in the JRE directory of your client system:

  1. Copy the Crypto-J libraries into the JRE directory of your client system:

    Copy from:

    <OMi_HOME>/odb/lib/cryptojce-6.2.jar

    <OMi_HOME>/odb/lib/cryptojcommon-6.2.jar

    <OMi_HOME>/odb/lib/jcmFIPS-6.2.jar

    Copy to:

    <jre_dir_path>/lib/ext/

  2. Download the JCE Unlimited Strength Jurisdiction Policy libraries from the Oracle Java website:

    http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

    Copy the downloaded JCE Unlimited Strength Jurisdiction Policy libraries to the Java security directory on your client system:

    <jre_dir_path>/lib/security

  3. The java.security file should contain the JsafeJCE provider as a standard cryptography provider in the providers list. In addition for TLS communication we also configure the SunJSSE TLS provider in FIPS mode. This is done by performing the change to the security provider from the fifth position. SunJSSE is configured in FIPS mode by associating it with an appropriate FIPS 140 certified cryptographic provider (JsafeJCE) that supplies the implementations for all cryptographic algorithms required by SunJSSE.

    Edit the file <jre_dir_path>/lib/security/java.security.

    Insert the following lines right before the list of providers:

    com.rsa.cryptoj.fips140initialmode=FIPS140_SSL_MODE
    com.rsa.cryptoj.kat.strategy=on.load

    Edit the cryptographic provider list so that it includes the FIPS 140-2 certified cryptographic provider (JsafeJCE):

    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.rsa.jsafe.provider.JsafeJCE
    security.provider.3=sun.security.rsa.SunRsaSign
    security.provider.4=sun.security.ec.SunEC
    security.provider.5=com.sun.net.ssl.internal.ssl.Provider JsafeJCE
    security.provider.6=com.sun.crypto.provider.SunJCE
    security.provider.7=sun.security.jgss.SunProvider
    security.provider.8=com.sun.security.sasl.Provider
    security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
    security.provider.10=sun.security.smartcardio.SunPCSC
    security.provider.11=sun.security.mscapi.SunMSCAPI

  4. Create the FIPS-compliant client truststore:

    1. Create the jssecacerts trusted certificates store of type PKCS12 by using the JsafeJCE provider:

      In FIPS mode the client JRE will use a different trusted certificate store, which is of type PKCS12, created by using the JsafeJCE provider. The new jssecacerts file is generated by converting the client JRE cacerts file from JKS to PKCS12 and by copying all the trusted certificates from cacerts inside jssecacerts. In the <OMi_HOME>\odb\tools\security folder, a new java tool jks2pkcs12.jar is added for performing this conversion. The keystore converter tool is getting two parameters, the keystore to be converted of type JKS (cacerts) and the newly generated keystore of type PKCS12 (jssecacerts).

      The cacerts file from the client JRE machine (for example, C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts) is copied to a folder on the UCMDB server machine. Next, run the following command to perform the needed conversion.

      Create jssecacerts by converting the client JRE cacerts file:

      <OMi_HOME>\JRE\bin\java -Djava.security.properties=<OMi_HOME>\JRE\lib\security\java.security.FIPS -jar <OMi_HOME>\odb\tools\security\jks2pkcs12.jar <input_folder>\cacerts <output_folder>\jssecacerts

      When prompted for the keystore password, you should use the password changeit because this is the default password for the cacerts file.

    2. Export the hproot server root certificate by running the following command from <OMi_HOME>\JRE\bin:

      <OMi_HOME>\JRE\bin\keytool -exportcert -alias hproot -keystore <OMi_HOME>\odb\conf\security\hproot.keystore -storetype pkcs12 -providername JsafeJCE -providerclass com.rsa.jsafe.provider.JsafeJCE -file <output_folder>\hproot.crt

      When prompted for the keystore hproot.keystore password, use hppass.

    3. Import the hproot server root certificate, which you created in the previous step, into the client jssecacerts keystore as a trusted certificate:

      Import hproot into client truststore (jssecacerts):

      <OMi_HOME>\JRE\bin\keytool -import -trustcacerts -keystore <path_to_jssecacerts> -storetype pkcs12 -providername JsafeJCE -providerclass com.rsa.jsafe.provider.JsafeJCE -storepass changeit -alias hproot -file <path_to_hproot.crt>

      If you are prompted whether to trust this certificate, answer yes.

    4. Import the web server root CA certificate from ca_root.cer into the client jssecacerts keystore as a trusted certificate:

      Import ca_root.cer into client truststore (jssecacerts):

      <OMi_HOME>\JRE\bin\keytool -import -trustcacerts -keystore <path_to_jssecacerts> -storetype pkcs12 -providername JsafeJCE -providerclass com.rsa.jsafe.provider.JsafeJCE -storepass changeit -file <OMi_HOME>\WebServer\conf\ca_root.cer

      If you are prompted whether to trust this certificate, answer yes.

    5. Copy the newly generated jssecacerts file from the server machine to the client JRE, inside the lib\security folder (for example, C:\Program Files (x86)\Java\jre1.8.0_45\lib\security).

    6. Configure the JRE on the client machine to use the new jssecacerts file. To do this, choose one of the following methods:

      • Update the values of the JAVA_TOOL_OPTIONS environment variable to the correct path of the jssecacerts file:

        -Djavax.net.ssl.trustStoreType=PKCS12 
-Djavax.net.ssl.trustStoreProvider=JsafeJCE 
-Djavax.net.ssl.trustStorePassword=changeit 
-Djavax.net.ssl.keyStorePassword=changeit 
-Djavax.net.ssl.keyStoreType=PKCS12 
-Djavax.net.ssl.keyStoreProvider=JsafeJCE

      • Add these values as runtime parameters by using the Java Control Panel (the javacpl tool).

      Note All the Java applications executed on the client machine may be affected by the changes made in this step.

  5. Restart your web browser.

Send Help Center feedback