SysMaint: Procedures for Activating, Deactivating, and Verifying FIPS

Document created by RSA Information Design and Development on Jul 29, 2016Last modified by Susan Ewald on Nov 1, 2016
Version 3Show Document
  • View in full screen mode
 

This topic contains the procedures for activating, deactivating, and verifying Federal Information Processing Standards (FIPS).

Use this section when you are looking for instructions on how to activate, deactivate, or verify:

  1. FIPS using BSAFE
    Enable, verify, or disable FIPS using BSAFE for the Security Analytics host and all services that use the BSAFE Security library.
  2. FIPS using OpenSSL
    Enable, verify, or disable FIPS using OpenSSL for the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench services.

FIPS Using BSAFE 

This section tells you how to enable, verify, or disable FIPS using BSAFE for the Security Analytics host and all services that use BSAFE security library (Reporting Engine, Incident Management, Event Stream Analysis, and Malware Analysis services).

Enable FIPS Using BSAFE for Security Analytics Host and All Services Using BSAFE Security Library

To enable FIPS using BSAFE for the Security Analytics host and all services using BSAFE security library:

  1. SSH in to the Security Analytics host with root permissions.
  2. Navigate to /etc/puppet/scripts directory and run the following command:
    ./FIPSEnable.sh
    The script runs ONLY on the Security Analytics host. The ./FIPSEnable.sh script:

      For example: Malware Analysis, Event Stream Analysis (ESA), and Security Analytics core host (Broker, Concentrator, Decoder and Log Decoder, etc.) are provisioned to the Security Analytics host. When you run the ./FIPSEnable.sh  script on the Security Analytics host, it instructs Malware Analysis and ESA services running on other hosts to run in FIPS mode.

    After successful execution of the script, the script automatically restarts services on the Security Analytics, ESA, and Malware hosts. Allow some time for the services to restart.

    RSA recommends that you reboot all hosts that are connected to the Security Analytics host starting with the non-Security Analytics hosts first. For example, if you have a Malware Analysis host and a Security Analytics host, reboot the Malware Analysis host first and then reboot the Security Analytics host.

    • Enables FIPS on all the services using BSAFE security library that are provisioned to the Security Analytics host.
    • Restarts services on the Security Analytics host and all other hosts.
  3. Reboot the host.

    Note: To enable or disable FIPS for the IPDB Extractor running on the Security Analytics host, use the scripts you used for OpenSSL (that is ./NwFIPSEnable.sh or ./NwFIPSDisable.sh).

Verify That FIPS Is Enabled for Reporting Engine on the Security Analytics Host

To verify that FIPS using BSAFE is enabled for the Reporting Engine:

  1. Log on to Security Analytics and go to Administration > Services.
  2. Select the Reporting Engine service.
  3. Click OpenActionsIcon.PNG under Actions and select View > Explore.
  4. Go to com.rsa.soc.re > Configuration > ServerConfiguration > serverConfiguration.
  5. Make sure that the FIPSEnabled parameter is set to true. FIPS_Status_RE.png

Verify That FIPS Is Enabled for ESA

To verify that FIPS using BSAFE is enabled for the ESA:

  1. Log on to Security Analytics and go to Administration > Services.
  2. Select the ESA service.
  3. Click OpenActionsIcon.PNG under Actions and select View > Explore.
  4. Go to Service > Status > service.
  5. Make sure that the FIPSModeOn parameter is set to true. FIPS_Status_ESA.png

Verify That FIPS Is Enabled for Malware Analysis

To verify that FIPS using BSAFE is enabled for the Malware Analysis, execute the following command string:

cat /etc/alternatives/jre/lib/security/java.security | grep FIPS

The command string returns the following output when FIPS is enabled for Malware Analysis:

com.rsa.cryptoj.fips140initialmode=FIPS140_MODE

Verify that FIPS Is Enabled for Incident Management

To verify that FIPS is enabled for Incident Management, execute the following command string:

cat /opt/rsa/im/logs/im.log | grep FIPS

The command string returns the following output when FIPS is enabled for Incident Management:

[WrapperSimpleAppMain] INFO com.rsa.smc.im.ServiceInitializer - Running in FIPS mode

Disable FIPS Using BSAFE for Security Analytics Host and All Services Using BSAFE Security Library

To disable FIPS using BSAFE for the Security Analytics host:

  1. SSH in to the Security Analytics host with root permissions.
  2. Navigate to /etc/puppet/scripts directory and run the following command:
    ./FIPSEnable.sh false
  3. Reboot the host. RSA recommends that you reboot all hosts that are connected to the Security Analytics host starting with the non-Security Analytics hosts first. For example, if you have a Malware Analysis host and a Security Analytics host, reboot the Malware Analysis host first and then reboot the Security Analytics host.

Enable, Verify, or Disable FIPS Using OpenSSL

This section tells you how to enable, verify, or disable FIPS using OpenSSL for the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench services.

Enable FIPS Using OpenSSL

To enable FIPS using OpenSSL:

  1. Download the openssl-1.0.0-20.el6_2.5.x86_64.rpm to a local directory. You can download the:
  2. SSH in to the Security Analytics host with root permissions.
  3. Copy the openssl-1.0.0-20.el6_2.5.x86_64.rpm on to the host under the root directory before running the script to enable FIPS.
  4. Enable FIPS in Security Analytics v10.5.0.1.
    This step has two sections, one section you complete if you are upgrading FIPS to 10.5.0.1 (you had FIPS activated in 10.4.x) and the other section you must complete if you are activating FIPS for the first time.   
    • Upgrade FIPS to Security Analytics v10.5.0.1 (you had FIPS activated in 10.4.x):
      1. Run the following command string:
        yum install rsa-sa-sshconfig* -y
      2. Navigate to /etc/puppet/scripts directory and run the following command:
        ./NwFIPSEnable.sh
      3. Log on to Security Analytics and go Administration > Services.
      4. Select the service. The services that you need to select are Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.
      5. Click Actions menu cropped under Actions and select View > Config.
      6. In the General tab, select the SSL FIPS Mode checkbox in the System Configuration panel and click Apply. FIPSxbox1.PNG
      7. In the Appliance Service Configuration tab, select the SSL FIPS Mode checkbox and click Apply. FIPSxbox2.PNG
      8. Reboot the host. The hosts you need to reboot are the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench services.

    • Activate FIPS for the first time in Security Analytics v10.5.0.1:
      1. Navigate to /etc/puppet/scripts directory and run the following command:
        ./NwFIPSEnable.sh
      2. Log on to Security Analytics and go Administration > Services.
      3. Select the service.
        The services that you need to select are Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.
      4. Click Actions menu cropped under Actions and select View > Config.
      5. In the General tab, select the SSL FIPS Mode checkbox in the System Configuration panel and click Apply. FIPSxbox1.PNG
      6. In the Appliance Service Configuration tab, select the SSL FIPS Mode checkbox and click Apply.
        FIPSxbox2.PNG
      7. Reboot the host. The hosts you need to reboot are the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench services.

Disable FIPS Using OpenSSL

To disable FIPS using OpenSSL:

  1. SSH in to the Security Analytics host with root permissions.
  2. Navigate to /etc/puppet/scripts directory and run the following command:
    ./NwFIPSDisable.sh
  3. Log on to Security Analytics and select Administration > Services.
  4. Select the service. The services that you need to select are Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.
  5. Click Actions menu cropped under Actions and select View > Config.
  6. In the General tab, deselect the SSL FIPS Mode checkbox in the System Configuration panel and click Apply. FIPSxbox1D.PNG
  7. In the Appliance Service Configuration tab, deselect the SSL FIPS Mode checkbox and click Apply.
    FIPSxbox2D.PNG
  8. Reboot the host. The hosts that you need to reboot are the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench services.

Verify That FIPS Is Enabled for Services using OpenSSL Security Library

To verify that FIPS is enabled for services using OpenSSL security library:

  1. Log on to Security Analytics and go Administration > Services.
  2. Select the service. The services that you need to select are the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.
  3. Under Actions, select View > Config.
    The General tab of the Configuration view is displayed.
  4. In the System Configuration panel, make sure that the SSL FIPS Mode parameter is checked.
    OpenSSLVerify.PNG

You are here: Activate or Deactivate FIPS > FIPS Procedure

Attachments

    Outcomes