// removed jquery ui css and js

Configuring CCM on a FIPS System

Overview

The Federal Information Processing Standard (FIPS) 140-2 is an U.S.and Canadian government certification standard for use in computer systems. To enable this mode in an operating systems, refer to your operating system documentation.

This section provides details on how to configure FIPs in the context of the CCM server.

You can choose to configure FIPs in a CCM server using one of two methods.

  • Option 1: Install CCM with FIPS Support on a FIPS Enabled System

    (or)

  • Option 2: Enable FIPs on an Existing CCM Server

Option 1: Install CCM with FIPS Support on a FIPS Enabled System

To install CCM on a system that already has FIPs enabled, follow this process.

  1. Install CCM (see CCM (Required) for procedural details.

    This is the only additional step and the difference between using both options!

  2. Edit the NSS configuration.

    vi $JAVA_HOME/jre/lib/security/nss.cfg
    Change the entries to
    
    name = NSS
    nssLibraryDirectory = /usr/lib64/
    nssSecmodDirectory = /usr/local/osmosix/nss
    nssModule = fips
  3. Execute the following commands to create and validate the NSS database creation.

    Contact the CloudCenter Support team to obtain the password.

    mkdir -p /usr/local/osmosix/nss
    cd /usr/local/osmosix/nss
    
    certutil -N -d .
    
    modutil -fips true -dbdir .
    certutil -L -d .
  4. Add an entry in the mgmtserver.conf file.

    vi /usr/local/osmosix/conf/mgmtserver.conf
    
    #Add the following entry after JAVA_OPTS line
    export SPRING_PROFILES_ACTIVE=encryption_nss_fips
  5. Restart the CCM server.

    root> systemctl stop ccm
    root> systemctl start ccm
  6. Log in as a System Admin using valid credentials. Contact the CloudCenter Support team to obtain the default and new SysAdmin credentials.

    See Admin Users for additional context on this user.


    1. Contact the CloudCenter Support team to obtain the SysAdmin credentials.

    2. Login using the default SysAdmin credentials provided by the CloudCenter Support team.

    3. Navigate to Crypto Services accordion.

    4. Click Change Password.

    5. Enter the new password provided by the CloudCenter Support team.

    6. Logout as SysAdmin.

    7. Login to CCM as a tenant admin.


Option 2: Enable FIPs on an Existing CCM Server

Verify that you have already configured your OS to enable FIPS as per your OS documentation.

To enable FIPs on an existing CCM server, follow this process.

  1. Edit the NSS configuration.

    vi $JAVA_HOME/jre/lib/security/nss.cfg
    Change the entries to
    
    name = NSS
    nssLibraryDirectory = /usr/lib64/
    nssSecmodDirectory = /usr/local/osmosix/nss
    nssModule = fips
  2. Execute the following commands to create and validate the NSS database creation.

    Contact the CloudCenter Support team to obtain the password.

    mkdir -p /usr/local/osmosix/nss
    cd /usr/local/osmosix/nss
    
    certutil -N -d .
    
    modutil -fips true -dbdir .
    certutil -L -d .
  3. Add an entry in the mgmtserver.conf file.

    vi /usr/local/osmosix/conf/mgmtserver.conf
    
    #Add the following entry after JAVA_OPTS line
    export SPRING_PROFILES_ACTIVE=encryption_nss_fips
  4. Restart the CCM server.

    root> systemctl stop ccm
    root> systemctl start ccm
  5. Log in as a System Admin using valid credentials. Contact the CloudCenter Support team to obtain the default and new SysAdmin credentials.

    See Admin Users for additional context on this user.


    1. Contact the CloudCenter Support team to obtain the SysAdmin credentials.

    2. Login using the default SysAdmin credentials provided by the CloudCenter Support team.

    3. Navigate to the Crypto Services section.

    4. Click Change Password.

    5. Enter the new password provided by the CloudCenter Support team.

    6. Logout as SysAdmin.

    7. Login to CCM as a tenant admin.

    You have now configured FIPs in a CCM server.

  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved