Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
- System security
- Encryption of configuration file settings
- Encryption of operator passwords
- Encryption of client keystore passwords
- Randomly generated master keys
- Inactivity timer
- Lockout feature
- System quiesce: Login restrictions
- Mandanten file security
- Multicompany mode
- Script utilities
- Security tables
- Secure Sockets Layer (SSL) encryption and server certificates
- Support of the HTTP Strict Transport Security protocol
- Trusted sign-on
- Common Access Card (CAC) sign-on
- SAML Single Sign-On
- FIPS mode
- Tokenization
FIPS mode
FIPS (Federal Information Processing Standards) are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within U.S. non-military government agencies and by U.S. government contractors and vendors who work with the agencies.
FIPS 140-2, “Security Requirements for Cryptographic Modules,” was issued by the U.S. National Institute of Standards and Technology (NIST) in May, 2001. The standard specifies the security requirements for cryptographic modules utilized within a security system that protects sensitive or valuable data.
For FIPS 140-2 compliance, Service Manager (SM) supports the implementation of FIPS validated AES-256 data encryption, TLS connections and Lightweight Single Sign-On (LW-SSO), and FIPS compliant random number generation algorithms.
Note Prior to version 9.50, Service Manager supported only FIPS 140-2 compliant data encryption. For backward compatibility, the legacy FIPS mode configuration is still supported. For details about the legacy FIPS mode configuration, see Configure legacy FIPS mode in Service Manager.
The following table describes two operation modes of the Service Manager server and clients.
Operation mode | Description | Notes |
---|---|---|
FIPS mode (FIPS 140-2 compliant mode) |
Supports FIPS 140-2 compliant cryptographic functions. |
Both OpenJDK JRE and Oracle JRE are supported for Service Manager. However, Service Manager does not support enabling FIPS mode with OpenJDK. If you want to enable FIPS mode for Service Manager, use Oracle JRE or IBM JRE with Service Manager. |
Non-FIPS mode (Non-FIPS 140-2 compliant mode) |
Utilizes existing cryptography without the 3rd-party FIPS 140-2 validated cryptographic modules. |
In FIPS mode, Service Manager supports the same authentication methods as in non-FIPS mode. See the following table.
Authentication mechanism | Windows Client | Web Client | Mobility Client | SRC |
---|---|---|---|---|
Password-based mechanism (local and LDAP) | Yes | Yes | Yes | Yes |
Trusted Sign-On (TSO) | Yes | Yes | Yes | Yes |
LW-SSO | No | Yes | Yes | Yes |
X.509 certificate authentication (CAC) | No | Yes | No | Yes |
SAML SSO | No | Yes | Yes | Yes |
Chat Server | No | Yes | No | No |
Chat Service | No | Yes | No | No |
FIPS validated AES-256 data encryption
Starting with version 9.32, Service Manager (SM) supports the implementation of FIPS validated AES-256 data encryption for encrypted fields in the Service Manager database.
Note If FIPS mode is enabled, the encrypted fields cannot be retrieved through the legacy listener.
FIPS validated TLS connections
Starting with version 9.41p3, Service Manager supports the implementation of FIPS validated TLS connections, managed by a FIPS validated cryptographic provider. The following table describes the cryptographic providers that Service Manager uses in FIPS mode.
- To enable FIPS mode in Service Manager, all truststore files and keystore files must use PKCS12 format.
- The IBM® Java™ JCE (Java Cryptographic Extension) FIPS Provider (IBMJCEFIPS) is used instead for any of the following components:
- The SM Web Tier and Mobility Client when deployed on WebSphere Application Server
For more information, visit the IBM support website.
- SM Smart Analytics uses an OEM-licensed version of Micro Focus IDOL, which does not support FIPS mode. For this reason, it is impossible to implement FIPS validated TLS connections between the SM Server and the IDOL Server; however, when the SM Server is running in FIPS mode, the IDOL Server can still connect to SM through standard SSL and Smart Analytics can still work correctly.
TLS connections between | Cryptographic provider |
---|---|
SM Server and any of the following components:
|
RSA BSAFE Crypto-J |
SM Server and Solr Search Engine Note The SM Server connects to the Solr search server through TLS connections using the HTTPS protocol; however, when performing searching and indexing, the Solr search server receives requests from an HTTPS port and distributes the requests to the shards with the HTTP protocol. |
RSA BSAFE Crypto-J |
SRC and Solr Search Engine | RSA BSAFE Crypto-J |
SM Server and LDAP/Directory Services Server |
OpenSSL FIPS Object Module |
Service Manager provides a set of parameters or options that determine whether the SM Server and other components are running in FIPS mode. See the following table.
Component | Parameter or option | Description |
---|---|---|
SM Server | fipsmode |
Must be set to one of the following values to indicate whether the SM Server runs in FIPS mode:
|
Windows Client | The FIPS Mode checkbox in the Preferences window |
Determines whether the Windows Client runs in FIPS mode:
|
Web Tier | The "fipsMode" parameter in the <Web Tier>/WEB-INF/webtier.properties file |
Must be set to one of the following values to indicate whether the Web Tier runs in FIPS mode:
|
Mobility Client | The "fipsMode" parameter in the <Mobility Client>/WEB-INF/webtier.properties file |
Must be set to one of the following values to indicate whether the Mobility Client runs in FIPS mode:
|
Service Request Catalog (SRC) |
Two parameters in the applicationContext.property file, which is located in the <SRC .war file>/WEB-INF/classes folder:
|
Both parameters do not exist in the out-of-box version of this file. To enable FIPS mode, you must manually add them and set them to "pkcs12" :
|
Chat Server | The "fipsmode" parameter in the <Openfire_home>/conf/openfire.xml file |
Must be set to true or false to indicate whether the Chat Server runs in FIPS mode:
|
Chat Service | The securityConfig.fipsmode parameter in the <chat service>\conf\app.properties file |
Must be set to true or false to indicate whether the Chat Service runs in FIPS mode:
|
FIPS validated LW-SSO
Service Manager 9.41p3 also adds support of the implementation of FIPS validated LW-SSO. When FIPS mode is enabled on the Service Manager Server side, you have the option to enable an LW-SSO framework that is implemented by using a FIPS 140-2 validated security provider, such as the JsafeJCE provider or IBMJCEFIPS provider.
The LW-SSO configuration file (lwssofmconf.xml) in each of the following components has been updated to support LW-SSO in FIPS mode:
- SM Server
- Web Tier
- Mobility Client
- SRC
- Chat Server
- Chat Service
- Micro Focus Identity Manager (IdM) service
FIPS compliant random number generation algorithms
When running in FIPS mode, Service Manager uses FIPS compliant random number generation algorithms, as described in the following table.
Component | Random number generation algorithm |
---|---|
SM Server | Uses RAND_bytes in OpenSSL. |
Windows Client | Is hardcoded to use HMACDRBG. |
Web Tier, or Mobility Client |
|
SRC or Solr Search Engine |
|
Chat Server or Chat Service | Uses HMACDRBG256 by default when deployed with Oracle JRE. You can configure the JRE’s java.security file to use another FIPS compliant algorithm. |
Related topics