Install > Configure OMi FIPS compliancy

Configure OMi FIPS compliancy

This section provides information on how to configure OMi to be compliant with Federal Information Processing Standards (FIPS) 140-2.

FIPS 140-2 is a standard for security requirements for cryptographic modules defined by the National Institute of Standards and Technology (NIST). To view the publication for this standard, go to:

Caution FIPS mode cannot be reverted. After OMi is configured to run in FIPS mode, it cannot be reconfigured to run in standard, non-FIPS mode. To run OMi in non-FIPS mode, you must reinstall the application and configure it as described in the Install section.

This section includes:

OMi in FIPS Mode

When you configure OMi to run in FIPS mode, the following components are also configured to operate in FIPS mode:

  • Embedded Apache web server

  • HPE Operations Agent installed on the OMi servers

  • Java Runtime Environment

OMi automatically uses FIPS-compliant cryptographic methods for the following:

  • HTTPS communication (if configured) between clients and the OMi web server or load balancer

  • HTTPS communication (if configured) between RTSM clients and RTSM

  • HTTPS communication between HPE Operations Agents or Operations Connectors (OpsCx) and OMi (HTTPS required by default)

  • LDAPS communication between OMi and LDAP server

  • Java keystore and Java Runtime Environment

  • Policy signing

Considerations When Running OMi in FIPS Mode

Before configuring OMi to run in FIPS mode, consider the following points:

  • Installation and Configuration:

    • FIPS mode can be configured at installation time only. It is not possible to upgrade an existing OMi installation to OMi in FIPS mode.
    • FIPS mode cannot be reverted. You must reinstall OMi to switch to non-FIPS mode.
    • Express configuration in FIPS mode is not supported.
  • Integrations:

    Typically, FIPS is not enabled for only a single application. Instead, all integrated systems must be FIPS-compliant for the entire deployment to be FIPS-compliant. For OMi, this means that all clients, connected databases, data providers, and integrations must be configured for FIPS compliance.

    For client requirements, see Client Requirements. For information on how to configure the database to be FIPS-compliant, see database vendor documentation.

  • Encryption:

    • Encryption with a key length of less than 2048 bits is not supported.

    • FIPS mode does not enforce encryption. However, when encryption is used, only approved algorithms are allowed. OMi automatically uses FIPS-compliant cryptographic methods when HTTPS communication is enabled.

    • Configuration exchange using content packs is not supported between OMi servers running in FIPS mode and OMi servers running in non-FIPS mode if the artifacts contain passwords.

  • Database:

    Automatic import of the certificate for TLS communication with the database does not work. The certificate must be imported manually.

    The BBCTrustServer command-line interface and the Connect and Import from Server button in the Outgoing Connection section of a connected server do not work in FIPS mode. The certificate must be exported on the integrating server and manually imported to the OMi server. For details, see Special configurations.

  • Miscellaneous:

    • Authentication using the Security Assertion Markup Language 2.0 (SAML2) protocol is not supported.
    • Secure email notifications are not supported.