NetWitness Platform 11.x ships with FIPS-validated 140-2 Cryptographic Modules that support all cryptographic operations within NetWitness Platform. NetWitness Platform leverages two modules that support a level three design assurance:
- RSA BSAFE Crypto-J
- OpenSSL with BSAFE (OWB)
Both modules have been certified with an operational environment comparable to the standard NetWitness Platform configuration.
By default, the cryptographic modules enforce the usage of FIPS-certified cipher suites wherever possible. For exceptions, refer to the information below and to the release notes. For additional information about the FIPS modules, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.
The RSA BSAFE Crtypo-J FIPS Certificate number is 2468 and the OWB FIPS Certificate is included in the RSA BSAFE Crypto-C Micro Edition with certificate number 2300.
In 11.x, FIPS is enabled on all services except Log Collector. This includes Log Decoder and Decoder if they were FIPS-enabled in 10.6.x or any previous version. FIPS cannot be disabled on any services except for Log Collector, Log Decoder and Decoder.
To enable FIPS for Log Collectors:
- Stop the Log Collector service.
- Open the /etc/systemd/system/nwlogcollector.service.d/nwlogcollector-opts-managed.conf file.
- Change the value of the following variable to off as described here:
- Reload the system daemon by running the following command:
- Restart the Log Collector service.
- Set the FIPS mode for the Log Collector service in the UI :
- Go to ADMIN > Services.
- Select the Log Collector service and go to View > Config.
- In SSL FIPS Mode, select the checkbox under Config Value and click Apply.
To enable FIPS for Log Decoders and Decoders that did not have FIPS enabled in 10.6.x:
- Go to ADMIN > Services and select a Log Decoder or Network Decoder service.
- Select View > Config, and in System Configuration, enable SSL FIPS Mode by selecting the check box in the Config Value column.
- Restart the service.
- Click Apply.