Sys Maintenance: Activate or Deactivate FIPS

Document created by RSA Information Design and Development on Mar 22, 2017Last modified by RSA Information Design and Development on Aug 1, 2017
Version 8Show Document
  • View in full screen mode
  

This topic describes how to activate and deactivate Federal Information Processing Standards (FIPS).

Important Notes on FIPS

When you run the FIPS Enable or Disable script on the Security Analytics Application host, it enables or disables all the services using the BSAFE security library that are running on the Security Analytics Application host, as well as all the connected hosts that use BSAFE security library.

When running Security Analytics in FIPS mode, there are the following requirements for private keys and certificates:

  1. There are minimum key sizes for signing and authentication:
    1. RSA, DSA: Greater than or equal to 2048-bit keys

    2. ECDSA: Greater than or equal to 224-bit keys (FIPS 186-4 recommends particular EC curves) 
  2. There are minimum key sizes for verification (legacy use only):
    1. RSA, DSA: Greater than or equal to 1024-bit keys

    2. ECDSA: Greater than or equal to 160-bit keys

  3. SHA-1 signatures can be verified, but not created.
  4. SHA-256 signatures can be verified and created.

If FIPS is enabled, you must complete the following steps before you add an SFTP destination using SSH key-based access after the SSH keys are configured as described in the Warehouse Connector Configuration Guide.

  1. SSH to the Warehouse Connector host.
  2. Run the following commands:

    cd /root/.ssh/
    mv id_dsa id_dsa.old
    openssl pkcs8 -topk8 -v2 des3 -in id_dsa.old -out id_dsa

    You are prompted for the old and new pass phrase.

  3. Enter the old and new pass phrase.
  4. Run the following command:

    chmod 600 id_dsa

The following sections tell you how to activate, deactivate, or verify FIPS.

Activate, Verify or Deactivate FIPS Using BSAFE 

This section tells you how to activate, verify, or deactivate FIPS using BSAFE for the Security Analytics Application host and all services that use the BSAFE security library.

Activate FIPS Using BSAFE for the Security Analytics Application Host 

To activate FIPS for the Security Analytics Application host using the BSAFE security library:

  1. SSH in to the Application host with root permissions.
  2. Navigate to the /etc/puppet/scripts directory and run the following command:

    ./FIPSEnable.sh

    The script ONLY runs on the Security Analytics Application host. The ./FIPSEnable.sh script:

    • Activates FIPS on all the services using the BSAFE security library that are provisioned to the Security Analytics Application host.
    • Restarts services on the Security Analytics Application host and all other hosts.
    • For example: Malware Analysis, Event Stream Analysis (ESA), and Security Analytics core hosts (Broker, Concentrator, Decoder and Log Decoder, and so on) are provisioned to the Security Analytics Application host. When you run the ./FIPSEnable.sh script on the Security Analytics Application host, it activates FIPS for services (Reporting Engine and Incident Management) running on the Security Analytics Application host and instructs Context Hub, ESA, and services running on other hosts to run in FIPS mode.

      After the script completes successfully, it automatically restarts services on the Security Analytics Application, ESA, and Malware hosts. Allow some time for the services to restart.

  3. Reboot hosts.

    RSA recommends that you reboot all the services using BSAFE that are connected to the Security Analytics Application host, starting with the non-Security Analytics Application hosts first. For example, if you have a Malware Analysis host and a Security Analytics Application host, reboot the Malware Analysis host first and then reboot the Security Analytics Application host.

    Note: To activate or deactivate FIPS for the IPDB Extractor and Broker services that are running on the Security Analytics Application host, use the scripts ./NwFIPSEnable.sh or ./NwFIPSDisable.sh).

Activate FIPS Using BSAFE for Services

Use these steps to activate FIPS using BSAFE on each service host for the following services:

  • Broker
  • Concentrator
  • Decoder
  • Log Decoder
  • Warehouse Connector
  • IPDB Extractor
  • Log Collector(both Local and Remote Collectors)
  • Archiver
  • Workbench

To activate FIPS using BSAFE for these services, on each service host:

  1. SSH into the Application services host with root permissions.
  2. Navigate to the /etc/puppet/scripts directory and run the following command:
    ./NwFIPSEnable.sh
  3. Log on to Security Analytics and go to Administration > Services.
  4. Select the service.
    The services that you need to select are Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.
  5. Click under Actions and select View > Config.
  6. In the General tab, select the SSL FIPS Mode checkbox in the System Configuration panel and click Apply.
  7. In the Appliance Service Configuration tab, select the SSL FIPS Mode checkbox and click Apply.

  8. Reboot the host. The hosts that you need to reboot are the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench services.

Verify That FIPS Is Activated for Services using BSAFE

To verify that FIPS is activated for services using the BSAFE security library:

  1. Log on to Security Analytics and go to Administration > Services.
  2. Select the service. The services that you need to select are the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.
  3. Under Actions, select View > Config.

    The General tab of the Configuration view is displayed.

  4. In the System Configuration panel, make sure that the SSL FIPS Mode parameter is checked.

    OpenSSLVerify.png

Verify That FIPS Is Activated for the Reporting Engine on the Application Host

To verify that FIPS using BSAFE is activated for the Reporting Engine:

  1. Log onto Security Analytics and go to Administration > Services.
  2. Select the Reporting Engine service.
  3. Click under Actions and select View > Explore.
  4. Go to com.rsa.soc.re > Configuration > ServerConfiguration > serverConfiguration.
  5. Make sure that the FIPSEnabled parameter is set to true.

FIPS_Status_RE.png

Verify that FIPS is Activated for Event Stream Analysis

To verify that FIPS using BSAFE is activated for Event Stream Analysis (ESA):

  1. Log on to Security Analytics and go to Administration > Services.
  2. Select the ESA service.
  3. Click OpenActionsIcon.PNG under Actions and select View > Explore.
  4. Go to Service > Status > service.
  5. Make sure that the FIPSModeOn parameter is set to true.

    FIS_Status_ESA.png

Verify That FIPS Is Activated for Malware Analysis

To verify that FIPS using BSAFE is activated for Malware Analysis, run the following command string:

cat /etc/alternatives/jre/lib/security/java.security | grep FIPS

The command string returns the following output when FIPS is activated for Malware Analysis:

com.rsa.cryptoj.fips140initialmode=FIPS140_MODE

Verify that FIPS Is Activated for Incident Management

To verify that FIPS is activated for Incident Management, run the following command string:

cat /opt/rsa/im/logs/im.log | grep FIPS

The command string returns the following output when FIPS is activated for Incident Management:

[WrapperSimpleAppMain] INFO com.rsa.smc.im.ServiceInitializer - Running in FIPS mode

Deactivate FIPS Using BSAFE for the Security AnalyticsApplication Host 

To deactivate FIPS using BSAFE for the Security Analytics Application host:

  1. SSH into the Security Analytics Application host with root permissions.
  2. Navigate to the /etc/puppet/scripts directory and run the following command:

    ./FIPSEnable.sh false

  3. Reboot the host. RSA recommends that you reboot all hosts that are connected to the Application host starting with the non-Application hosts first. For example, if you have a Malware Analysis host and a Security Analytics Application host, reboot the Malware Analysis host first and then reboot the Security Analytics Application host.

Deactivate FIPS Using BSAFE for Services 

Use these steps to deactivate FIPS using BSAFE on each service host for the following services:

  • Broker
  • Concentrator
  • Decoder
  • Log Decoder
  • Warehouse Connector
  • IPDB Extractor
  • Log Collector(both Local and Remote Collectors)
  • Archiver
  • Workbench

To deactivate FIPS using BSAFE for these services, on each service host:

  1. SSH into the services Application host with root permissions.
  2. Navigate to the /etc/puppet/scripts directory and run the following command:
    ./NwFIPSDisable.sh
  3. Log on to Security Analytics and go to Administration > Services.
  4. Select the service.
    The services that you need to select are Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.
  5. Click under Actions and select View > Config.
  6. In the General tab, deselect the SSL FIPS Mode checkbox in the System Configuration panel and click Apply.
  7. In the Appliance Service Configuration tab, deselect the SSL FIPS Mode checkbox and click Apply.

  8. Reboot the host. The hosts that you need to reboot are the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench services.

Previous Topic:Best Practices
You are here
Table of Contents > Activate or Deactivate FIPS

Attachments

    Outcomes