Sys Maintenance: Activate or Deactivate FIPS

Document created by RSA Information Design and Development on May 12, 2016Last modified by RSA Information Design and Development on May 12, 2016
Version 2Show Document
  • View in full screen mode
 
  

This topic tells how to activate and deactivate Federal Information Processing Standards (FIPS). The method you use to activate or deactivate FIPS depends on the type of security library used by your Security Analytics services. Your Security Analytics services can use either the OpenSSL or BSAFE security library.

                 
ServicesSecurity
Library
Application host, Context Hub, Event Stream Analysis (ESA), Incident Management, Malware Analysis, and Reporting Engine.BSAFE
Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (Local and Remote Collectors), Archiver, and WorkbenchOpenSSL

Important Notes on FIPS

  • When you run the FIPS Enable/Disable script on the Application host, it enables/disables all the services using BSAFE security library running on the Application host and all the connected hosts that use BSAFE security library.
  • If FIPS is enabled, you must complete the following steps before you add an SFTP destination using SSH key-based access after the SSH keys are configured as described in the Warehouse Connector Configuration Guide.
  1. SSH to the Warehouse Connector host.
  2. Submit the following commands:

    cd /root/.ssh/
        mv id_dsa id_dsa.old
        openssl pkcs8 -topk8 -v2 des3 -in id_dsa.old -out id_dsa

    You are prompted for the old and new pass phrase.

  3. Enter the old and new pass phrase.
  4. Submit the following commands:

    chmod 600 id_dsa

The following sections tell you how to activate, deactivate, or verify FIPS.

Activate, Verify or Deactivate FIPS Using BSAFE 

This section tells you how to activate, verify, or deactivate FIPS using BSAFE for the Application host and all services that use BSAFE security library.

Activate FIPS Using BSAFE for Application Host and All Services Using BSAFE Security Library

To activate FIPS using BSAFE for the Application host and all services using BSAFE security library:

  1. SSH in to the Application host with root permissions.
  2. Navigate to /etc/puppet/scripts directory and run the following command:

    ./FIPSEnable.sh

    The script ONLY runs on the Application host. The ./FIPSEnable.sh script:

    • Activates FIPS on all the services using BSAFE security library that are provisioned to the Application host.
    • Restarts services on the Application host and all other hosts.
    • For example: Malware Analysis, Event Stream Analysis (ESA), and Security Analytics core hosts (Broker, Concentrator, Decoder and Log Decoder, and so on) are provisioned to the Application host. When you run the ./FIPSEnable.sh script on the Application host, it activates FIPS for services (Reporting Engine and Incident Management) running on the Application host and instructs Context Hub, ESA, and services running on other hosts to run in FIPS mode.

      After successful execution of the script, the script automatically restarts services on the Application, ESA, and Malware hosts. Allow some time for the services to restart.

  3. Reboot hosts.

    RSA recommends that you reboot all the services using BSAFE that are connected to the Application host starting with the non-Application hosts first. For example, if you have a Malware Analysis host and a Application host, reboot the Malware Analysis host first and then reboot the Application host.

    Note: To activate or deactivate FIPS for the IPDB Extractor and Broker services running on the Application host, use the scripts you used for OpenSSL (that is ./NwFIPSEnable.sh or ./NwFIPSDisable.sh).

Verify That FIPS Is Activated for Reporting Engine on the Application Host

To verify that FIPS using BSAFE is activated for the Reporting Engine:

  1. Log on to Security Analytics and go to Administration > Services.
  2. Select the Reporting Engine service.
  3. Go to com.rsa.soc.re > Configuration > ServerConfiguration > serverConfiguration.
  4. Make sure that the FIPSEnabled parameter is set to true.

FIPS_Status_RE.png

Verify That FIPS Is Activated for ESA

To verify that FIPS using BSAFE is activated for the ESA:

  1. Log on to Security Analytics and go to Administration > Services.
  2. Select the ESA service.
  3. Click OpenActionsIcon.PNG under Actions and select View > Explore.
  4. Go to Service > Status > service.
  5. Make sure that the FIPSModeOn parameter is set to true.

    FIS_Status_ESA.png

Verify That FIPS Is Activated for Malware Analysis

To verify that FIPS using BSAFE is activated for the Malware Analysis, execute the following command string:

cat /etc/alternatives/jre/lib/security/java.security | grep FIPS

The command string returns the following output when FIPS is activated for Malware Analysis:

com.rsa.cryptoj.fips140initialmode=FIPS140_MODE

Verify that FIPS Is Activated for Incident Management

To verify that FIPS is activated for Incident Management, execute the following command string:

cat /opt/rsa/im/logs/im.log | grep FIPS

The command string returns the following output when FIPS is activated for Incident Management:

[WrapperSimpleAppMain] INFO com.rsa.smc.im.ServiceInitializer - Running in FIPS mode

Deactivate FIPS Using BSAFE for Application Host and All Services Using BSAFE Security Library

To deactivate FIPS using BSAFE for the Application host:

  1. SSH in to the Application host with root permissions.
  2. Navigate to /etc/puppet/scripts directory and run the following command:

    ./FIPSEnable.sh false

  3. Reboot the host. RSA recommends that you reboot all hosts that are connected to the Application host starting with the non-Application hosts first. For example, if you have a Malware Analysis host and a Application host, reboot the Malware Analysis host first then reboot the Application host.

Activate, Verify, or Deactivate FIPS Using OpenSSL

This section tells you how to activate, verify, or deactivate FIPS using OpenSSL for the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench services.

Activate FIPS Using OpenSSL

To activate FIPS using OpenSSL:

  1. Download the openssl-1.0.0-20.el6_2.5.x86_64.rpm to a local directory. You can download the:

    • openssl-1.0.0-20.el6_2.5.x86_64.rpm directly from the CentOS repo, or
    • SA-10.6.0.0-UpdatePack-EL6.zip, which contains the openssl-1.0.0-20.el6_2.5.x86_64.rpm, from Download Central (https://download.rsasecurity.com/)
  2. SSH to each of the hosts that use OpenSSL for FIPS with root permissions.
  3. Copy the openssl-1.0.0-20.el6_2.5.x86_64.rpm to each of the hosts that use OpenSSL for FIPS under the root directory before running the script to activate FIPS.
  4. Activate FIPS in Security Analytics v10.6.

    1. Navigate to /etc/puppet/scripts directory and run the following command:

      ./NwFIPSEnable.sh

    2. Log on to Security Analytics and go Administration > Services.
    3. Select the service. The services that you need to select are Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.

    4. Click Actions menu cropped under Actions and select View > Config.
    5. In the General tab, select the SSL FIPS Mode checkbox in the System Configuration panel and click Apply.

      FISxbox1.png

    6. In the Appliance Service Configuration tab, select the SSL FIPS Mode checkbox and click Apply.

      FISxbox2.png

    7. Reboot the host. The hosts you need to reboot are the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench services.

Deactivate FIPS Using OpenSSL

To deactivate FIPS using OpenSSL:

  1. SSH in to each of the hosts that are FIPS activated using OpenSSL with root permissions.
  2. Navigate to /etc/puppet/scripts directory and run the following command:

    ./NwFIPSDisable.sh

  3. Log on to Security Analytics and select Administration > Services.
  4. Select the service. The services that you need to select are Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.

  5. Click Actions menu cropped under Actions and select View > Config.
  6. In the General tab, deselect the SSL FIPS Mode checkbox in the System Configuration panel and click Apply.

    FISxbox1D.png

  7. In the Appliance Service Configuration tab, deselect the SSL FIPS Mode checkbox and click Apply.

    FISxbox2D.png

  8. Reboot the host. The hosts that you need to reboot are the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench services.

Verify That FIPS Is Activated for Services using OpenSSL Security Library

To verify that FIPS is activated for services using OpenSSL security library:

  1. Log on to Security Analytics and go to Administration > Services.
  2. Select the service. The services that you need to select are the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.
  3. Under Actions, select View > Config.

    The General tab of the Configuration view is displayed.

  4. In the System Configuration panel, make sure that the SSL FIPS Mode parameter is checked.

    OpenSSLVerify.png

You are here: Activate or Deactivate FIPS

Attachments

    Outcomes