Sys Maintenance: FIPS Support

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 13, 2017
Version 10Show Document
  • View in full screen mode
  

NetWitness Suite 11.0 ships with FIPS-validated 140-2 Cryptographic Modules that support all cryptographic operations within NetWitness Suite. NetWitness Suite leverages two modules that support a level 3 design assurance:

  • RSA BSAFE Crypto-J
  • OpenSSL with BSAFE (OWB)

Both modules have been certified with an operational environment comparable to the standard NetWitness Suite configuration.

By default, the cryptographic modules enforce the usage of FIPS-certified cipher suites wherever possible. For exceptions, refer to the information below and to the release notes. For additional information about the FIPS modules, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.

The RSA BSAFE Crtypo-J FIPS Certificate number is 2468 and the OWB FIPS Certificate is included in the RSA BSAFE Crypto-C Micro Edition with certificate number 2300.

In 11.0.0.0, FIPS is enabled on all services except Log Collector. This includes Log Decoder and Decoder if they were FIPS-enabled in 10.6.4.x. FIPS cannot be disabled on any services except for Log Collector, Log Decoder and Decoder.

Note: For a fresh installation of 11.0.0.0, by default, all core services will be FIPS enforced except Log Collector and Log Decoder. FIPS cannot be disabled on any services except for Log Collector, Log Decoder and Packet Decoder.

Note: For upgrades to 11.0.0.0 from 10.6.4.x, the following conditions apply for the Log Collector, Log Decoder and Decoder services:
- Log Collector is not FIPS enabled after upgrading to 11.0.0.0, even if FIPS was enabled in 10.6.4.x. You must enable FIPS support after upgrading to 11.0.0.0. See the instructions in FIPS support for Log Collectors.
- If FIPS was enabled for the Log Decoder and Packet Decoder services in 10.6.4.x, FIPS will also be enabled in 11.0.0.0. However, if Log Decoder and Packet Decoder were NOT FIPS enabled in 10.6.4.x, they will not be enabled in 11.0.0.0, and you can manually enable FIPS for these services if required. See the instructions in FIPS support for Log Decoders and Decoders.

FIPS support for Log Collectors

To enable FIPS for Log Collectors:

  1. Stop the Log Collector service.
  2. Open the /etc/systemd/system/nwlogcollector.service.d/nwlogcollector-opts-managed.conf file.
  3. Change the value of the following variable to off as described here:
    Environment="OWB_ALLOW_NON_FIPS=on"
    to
    Environment="OWB_ALLOW_NON_FIPS=off"
  4. Reload the system daemon by running the following command:
    systemctl daemon-reload
  5. Restart the Log Collector service.
  6. Set the FIPS mode for the Log Collector service in the UI :

    Note: This step is not required if you are upgrading from 10.6.4 to 11.0.0.0 and FIPS was enabled in 10.6.4.

    1. Go to ADMIN > Services.
    2. Select the Log Collector service and go to View > Config.
    3. In SSL FIPS Mode, select the checkbox under Config Value and click Apply.

FIPS support for Log Decoders and Decoders

To enable FIPS for Log Decoders and Decoders that did not have FIPS enabled in 10.6.4.x:

  1. Go to ADMIN > Services and select a Log Decoder or Packet Decoder service.
  2. Select View > Config, and in System Configuration, enable SSL FIPS Mode by selecting the check box in the Config Value column.
  3. Restart the service.
  4. Click Apply.
You are here
Table of Contents > FIPS Support

Attachments

    Outcomes