Configure FIPS mode in the IdM Service

Prerequisites

Before you proceed, make sure of the following:

1. You have already configured the IdM JRE for FIPS mode. For details, see the IdM service section in Configure Java for FIPS mode.

2. You have already generated a CA certificates file and a client keystore for the IdM service host. For details, see Generate FIPS validated certificates for the SM Server and other components.

   • The CA certificates file: \certs\smcacerts.p12
   • The SM Server trusted clients keystore: \certs\trustedclients.p12

   • The IdM keystore file: \key\sun-sun-<IdM host FQDN>.p12 (for example, sun-sun-idmservicehost.mycompany.net.p12)

     Note This keystore will be used to encrypt IdM keys and passwords, and is therefore referred to as the "encryption keystore".

3. You have enabled FIPS mode on the SM Server side. For details, see Configure FIPS mode in the Server.
4. You have installed the identity provider (ADFS) and exported the public key of the ADFS certificate to a .cer file (for example, Per_ADFS.cer). For information about how to export the ADFS certificate, see Install and configure the standalone IdM service.

Steps to enable FIPS mode in the IdM service

To enable FIPS mode in the IdM service, perform the following tasks.

Task 1: Create a samlKeystore.p12 file

Out-of-box, the <idm-service>\WEB-INF\classes\security folder contains a keystore file in JKS format (samlKeystore.jks), which is used when IdM is running in standard mode. For FIPS mode, you need to generate a SAML keystore in PKCS 12 format, and then import the identity provider's certificate into this keystore.

Run the following command to generate a .p12 keystore file:

keytool -genkey -alias <keystore alias> -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore <keystore location>\<keystore name>.p12 -validity <validity period>

For example:

C:\Project\IDM\Certifacate>keytool -genkey -alias idm -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore samlKeystore.p12 -validity 20

Task 2: Import the ADFS certificate public key to samlKeystore.p12

1. Run the following keytool command to import the ADFS certificate public key into the samlKeystore.p12 file:

   Keytool –import –alias <certificate alias> -file <path for ADFS certificate>\<certificate name>.cer –keystore <samlKeystore.p12 path>

   For example :

   C:\Project\IDM\Certifacate>keytool -import -alias asfscer -file Per_ADFS.cer -keystore samlKeystore.p12

   Note This example assumes the ADFS certificate file (Per_ADFS.cer) and the samlkeystore.p12 file are in the same folder.

   When prompted, enter the password that you specified previously for the samlKeystore.p12 file.

2. Copy the samlKeystore.p12 file to the <idm-service>\WEB-INF\classes\security folder.

   Note You will need to specify this file path in Task 8: Update applicationContext.properties file.

Task 3: Import the ADFS certificate public key to the IdM server trust store

To enable the IdM server to trust the clients (that is, the SM web tier, SRC, and Mobility Client) and the identity provider (Microsoft ADFS), you need to create a IdM server trust store, which must contain the public keys of all IdM client certificates and the ADFS certificate.

When configuring FIPS mode for the SM Server, you generated a trusted clients keystore for the SM Server (for example, trustedclients.p12), which contains the public keys of the SM web tier, SRC, and Mobility Client. For this reason, you can use this keystore as the IdM server trust store and only need to import the public key of the ADFS certificate into it.

To import the ADFS certificate's public key, run the following command:

keytool -import -keystore <SM Server trusted clients keystore>  -file <ADFS CA certificate> -alias <ADFS CA certificate alias> -storepass <SM Server trusted clients keystore password> –trustcacerts

For example:

keytool -import -keystore trustedclients.p12 -file Per_ADFS.cer -alias adfs_ca -storepass trustedclients –trustcacerts

Task 4: Generate a symmetric key

In this task, you will generate a symmetric key file, which will be used for encrypting IdM sensitive data in FIPS mode.

1. Generate an encryption keystore file in PKCS12 format.

   An encryption keystore file is a keystore file in .p12 format based on which the symmetric key will be generated.

   You can generate an encryption keystore by running the following command:

   keytool -genkey -alias <keystore alias> -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore <keystore location>\<Keystore name>.p12 -validity <validity period>

   Tip Alternatively, you can use an existing keystore such as the IdM client keystore that you have generated (see Prerequisites).

2. Generate a smKey.dat file.

   1. Change directory to the <IDM service>\WEB-INF\lib directory.

      For example:

      cd C:\Tomcat\tomcat_9443\webapps\idm-service\WEB-INF\lib

   2. Run the following command to generate a symmetric key file the key.dat file:

      java -cp "cryptoUtil-1.0.3.jar;jasypt-1.9.1.jar;commons-codec-1.7.jar;slf4j-log4j12-1.7.5.jar;slf4j-api-1.7.5.jar;log4j-1.2.17.jar" com.hp.ccue.crypto.util.App genAndEncKey  JsafeJCE <location of the encryption keystore file>.p12 <password of keystore file> <alias of keystore> <path of key file>.dat

      For example:

      java -cp "cryptoUtil-1.0.3.jar;jasypt-1.9.1.jar;commons-codec-1.7.jar;slf4j-log4j12-1.7.5.jar;slf4j-api-1.7.5.jar;log4j-1.2.17.jar" com.hp.ccue.crypto.util.App genAndEncKey  JsafeJCE C:\Project\IDM\Certifacate\sun-sun-idmservicehost.mycompany.net.p12 clientkeystore idmservicehost.mycompany.net c:/smKey.dat

      The following message is displayed:

      Generating symmetric key using AES algorithm

      The number of bytes in the key = 16.

3. Verify that the smKey.dat file is generated in the specified folder.

4. Create a pass.txt file to store the password of the encryption keytore file used to generate the symmetric key. The content of the pass.txt file is as follows:

   keystorePassword=<password>

   For example, if you used the sun-sun-idmservicehost.mycompany.net.p12 file with a password of clientkeystore, the content of the example pass.txt file should be:

   keystorePassword=clientkeystore

   Put the pass.txt file in a directory, which you will need to specify later in the <idm-service>\WEB-INF\classes\idm-security.properties file. See Task 7: Update the idm-security.properties file.

   For example:

   keystorePasswordFile=C:\Project\IDM\Certifacate\pass.txt

   Caution For security considerations, the pass.txt file is deleted at each startup of the IdM service. You need to keep a copy of this file somewhere else, and copy the file back to the same directory every time before starting the IdM service. If this file is missing, the IdM service cannot be started.

Task 5: Enable FIPS mode in the applicationContext.xml file

1. Open the <idm-service>\WEB-INF\spring\applicationContext.xml file in a text editor.
2. Disable standard mode.

   1. Search for "START Standard Mode configuration" to locate the standard mode configuration section.

      <!-- START Standard Mode configuration-->
      ...
      
      <!-- END Standard Mode configuration-->

   2. Comment out this section.

3. Enable FIPS mode.

   1. Search for "START FIPS Mode configuration" to locate the following FIPS mode configuration sections.

      <!-- START FIPS Mode configuration -->
          <!--
          <bean id="configurationEncryptor" class="com.hp.ccue.crypto.util.SecurityHelper" />
      
          <bean id="propertyConfigurer"
                 class="com.hp.ccue.identity.config.EncryptablePropertyPlaceholderConfigurer">
                 <constructor-arg ref="configurationEncryptor" />
                 <property name="locations">
                     <list>
                         <value>/WEB-INF/spring/applicationContext.properties</value>
                     </list>
                  </property>
          </bean>
           -->
       <!-- END FIPS Mode configuration -->

      ...

      <!-- START FIPS Mode Configuration -->
              <!--
              <property name="fipsEnabled" value="true" />
              -->
      <!-- END FIPS Mode Configuration -->

      ...

      <!-- START FIPS Mode Configuration -->
              <!--
              <property name="fipsEnabled" value="true" />
              -->
       <!-- END FIPS Mode Configuration -->

   2. Uncomment these FIPS mode configuration sections by removing the comment tags.

Task 6: Enable FIPS mode in applicationContext-security.xml file

1. Open the <idm-service>\WEB-INF\spring\applicationContext-security.xml file in a text editor.

2. Search for "START FIPS Mode Configuration" to locate the following section.

   <!-- START FIPS Mode Configuration -->
        <!--
           <property name="fipsEnabled" value="true" />
        -->
   <!-- END FIPS Mode Configuration -->

3. Uncomment the following line by removing the comment tags.

   <property name="fipsEnabled" value="true" />

Task 7: Update the idm-security.properties file

1. Open the <idm-service>\WEB-INF\classes\idm-security.properties file in a text editor.

2. Configure the following parameters in the file.

   Key	Value (Description)
   useExternalProvider	Set it to true (default)
   securityProviderName	Set it to JsafeJCE (default)
   keySize	Set it to 128 (default)
   keystore	Specify the encryption keystore location (see Task 4: Generate a symmetric key). For example: C:\Project\IDM\Certifacate\sun-sun-idmservicehost.mycompany.net.p12
   keyAlias	Specify the encryption keystore alias (see Task 4: Generate a symmetric key). For example: idmservicehost.mycompany.net
   keystorePasswordFile	Specify the path to the encryption keystore password file (see Task 4: Generate a symmetric key). For example: C:\Project\IDM\Certifacate\pass.txt
   encryptedKeyFile	Specify the path to the symmetric key .dat file (see Task 4: Generate a symmetric key). For example: C:\Project\IDM\Certifacate\smKey.dat
   sslTruststore	Specify the path to the IdM server trust store file. This can be the SM Server's trusted clients keystore file. See Task 3: Import the ADFS certificate public key to the IdM server trust store. For example: C:\Project\IDM\Certifacate\trustedclients.p12
   sslTruststorePassword	Specify the password for the IdM server trust store file. For example: trustedclients

Task 8: Update applicationContext.properties file

1. Open the <idm-service>\WEB-INF\spring\applicationContext.properties file in a text editor.

2. Configure the parameters as described in the following table.

   Parameter	Description
   idm.saml.keystore.provider	Set it to JsafeJCE.
   idm.saml.keystore.type	Set it to PKCS12.
   idm.saml.keystore	Set it to the path of the samlKeystore.p12 file: classpath:security/samlKeystore.p12 Note This file must be placed in the <idm-service>\WEB-INF\classes\security directory (see Task 1: Create a samlKeystore.p12 file).
   idm.saml.keystore.password	Set it to the password of the samlKeystore.p12 file. For example: 1Qaz2wsx3edc
   idm.saml.keystore.defaultKey.name	Set it to the alias of the samlKeystore.p12 file. For example: idm
   idm.saml.keystore.defaultKey.password	This is the password for the idm key in the samlKeystore.p12 file. Set it to the same value as the idm.saml.keystore.password parameter. For example: 1Qaz2wsx3edc

Task 9: Update the hpssoConfig.xml file

1. Open the <idm-service>\WEB-INF\hpssoConfig.xml file in a text editor.

2. Comment out the following section.

   <crypto initString="Init string must be replaced for production" cipherType="symmetricBlockCipher" engineName="AES"
                       paddingMode="CBC" keySize="256" encodingMode="Base64Url" algorithmPaddingName="PKCS7Padding" checkIntegrity="disabled"
                       cryptoSource="lw" directKeyEncoded="false" directKeyEncoding="Hex" jcePbeAlgorithmName="PBEWithHmacSHA1"
                       jcePbeMacAlgorithmName="PBEWithHmacSHA1" macAlgorithmName="SHA1" macKeySize="256" macPbeCount="20" macType="hmac"
                       pbeCount="20" pbeDigestAlgorithm="SHA1"/>

3. Insert the following the section below the section that you commented out.

   <crypto cryptoSource="jce" cipherType="symmetricBlockCipher"
                               engineName="AES" paddingModeName="CBC" keySize="256"
                               pbeDigestAlgorithm="SHA1" encodingMode="Base64Url"
                               jcePBECryptoAlgorithm="AES" jcePbeMacAlgorithmName="AES"
                               macType="hmac"
                               macAlgorithmName="SHA1" directKeyEncoded="true" directKeyEncoding="Base64Url"
                               algorithmPaddingName="PKCS5Padding" jceProviderName="JsafeJCE" 
                               pbeCount="20" macKeySize="256" macPbeCount="20"
                               initString="rqa9mkdmfkvdvienfj4usldo9205mvid"></crypto> 
   

   Note The initString value here is only a sample value, which you need to change according to your own LW-SSO configuration. Make sure that IdM, the Service Manager Server, and other applications that participate in LW-SSO use the same initString value. In FIPS mode, the initString value must be 32 characters long and contain no spaces.

Task 10: Update the applicationContext-saml.xml file

1. Open the <idm-service>\WEB-INF\spring\applicationContext-saml.xml file in a text editor.

2. Comment out the following section.

   <bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer">
         <property name="sslHostnameVerification" value="allowAll"/>
   </bean>

3. Uncomment the following line by removing the comment tags.

   <!-- <constructor-arg type="java.lang.String" value="${idm.saml.keystore.provider}"/> -->

Task 11: Re-encrypt sensitive data for the entire IdM configuration

In this task, you will re-encrypt all keys and passwords of the IdM service, by using the symmetric key that you generated previously.

1. Make a note of the following IdM passwords and keys.

   Location	Password/Key
   <idm-service>\WEB-INF\classes\integrationusers.properties	idmTransportUser=xxxxxx
   <idm-service>\WEB-INF\spring\applicationContext.properties	idm.encryptedSigningKey=xxxxxx
   <idm-service>\WEB-INF\spring\applicationContext.properties	idm.persistence.connection.password = xxxxxx
   <idm-service>\WEB-INF\spring\applicationContext.properties	idm.saml.keystore.password=xxxxxx idm.saml.keystore.defaultKey.name=xxxxxx idm.saml.keystore.defaultKey.password=xxxxxx
   <idm-service>\WEB-INF\classes\idm-security.properties	sslTruststorePassword=xxxxxx

2. Change directory to <idm-service>\WEB-INF\lib.

3. Run the following command to re-encrypt each password or key listed in the previous table:

   java -cp "cryptoUtil-1.0.3.jar;jasypt-1.9.1.jar;commons-codec-1.7.jar;slf4j-log4j12-1.7.5.jar;slf4j-api-1.7.5.jar;log4j-1.2.17.jar" com.hp.ccue.crypto.util.App encrypt <value> JsafeJCE <smKey.dat> <keySize>

   Where: <value> is the password or key to be encrypted; <key size> is optional, which can be omitted if you want to use the default key size of 128.

   For example:

   java -cp "cryptoUtil-1.0.3.jar;jasypt-1.9.1.jar;commons-codec-1.7.jar;slf4j-log4j12-1.7.5.jar;slf4j-api-1.7.5.jar;log4j-1.2.17.jar" com.hp.ccue.crypto.util.App encrypt 1Qaz2wsx3edc JsafeJCE C:\Project\IDM\Certifacate\smKey.dat 

4. Copy the encrypted value back to the IdM configuration file to overwrite the original parameter value by using the following format:

   Parameter=ENC(encrypted value)

   Here are examples:

   idmTransportUser=ENC(0bEhLG0zDOdYBLf013p3Qfn66kNTMYvh)

   idm.encryptedSigningKey=ENC(0bEhLG0zDOdYBLf013p3Qfn66kNTMYvh)

Task 12: Configure the IdM clients to use a .p12 trust store

In FIPS mode, all Service Manager certificates, including the IdM client truststore, must be in PKCS 12 (.p12) format. In this task, you need to create an IdM trust keystore in .p12 format and configure this trust keystore and its passwords on each client side.

1. Run the following command to generate a .p12 keystore file:

   keytool -genkey -alias <keystore alias> -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore <keystore location>\<keystore name>.p12 -validity <validity period>

   For example:

   keytool -genkey -alias idmclienttrust -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore C:\idm\idmcacerts.p12 -validity 365

2. Import the IdM server's public key into the keystore.

   To do this, run the following command:

   keytool -import -alias <idm server keystore alias> -file <idm server certificate> -keystore <keystore name> -storepass <keystore password> –trustcacerts

   Where: <keystore> and <keystore password> represent the keystore generated in the previous step and its password.

   For example:

   keytool -import -alias tomcat -file tomcat.cer -keystore idmcacerts.p12 -storepass tomcat1 –trustcacerts

3. Copy the keystore (for example, idmcacerts.p12) to each client (the SM web tier, SRC, and Mobility Client). The keystore is now the trust store for each IdM client.

4. Configure the Service Manager web tier, SRC, and Mobility Client to set the idm.truststore parameter to the .p12 truststore generated in the previous step.

   Component	Configuration file	Description
   Web tier Mobility Client	WEB-INF/webtier.properties	For example: Windows system: idm.truststore=/WEB-INF/idmcacerts.p12 Linux system: idm.truststore=/home/srcfips/cert/idmcacerts.p12
   SRC	WEB-INF/classes/applicationContext.properties	For example: Windows system: idm.truststore=C:\\cert\\idmcacerts.p12 Linux system: idm.truststore=/home/srcfips/cert/idmcacerts.p12