Configuring CCM on a FIPS System

Overview

The Federal Information Processing Standard (FIPS) 140-2 is an U.S.and Canadian government certification standard for use in computer systems. To enable this mode in an operating systems, refer to your operating system documentation.

To configure FIPS support on the CCM, you must satisfy two conditions:

  • Enable FIPS at the OS level on the CCM
  • Use a brand new CloudCenter environment – You cannot enable FIPS support on an existing CloudCenter environment.

This section provides details on how to configure FIPs in the context of the CCM server.

You can choose to configure FIPs in a CCM server using one of two methods.

  • Option 1: Install CCM with FIPS Support on a FIPS Enabled System

    (or)

  • Option 2: Enable FIPs on an Existing CCM Server

Option 1: Install CCM with FIPS Support on a FIPS Enabled System

To install CCM on a system that already has FIPs enabled, follow this process.

  1. Verify if FIPS is enabled at the OS level by running the following command.

    sysctl crypto.fips_enabled
    
    # The response to this command should return 1
  2. Install CCM (see CCM (Required) for procedural details.

    This is the only additional step and the difference between using both options!

  3. Edit the NSS configuration.

    vi $JAVA_HOME/jre/lib/security/nss.cfg
    Change the entries to
    
    name = NSS
    nssLibraryDirectory = /usr/lib64/
    nssSecmodDirectory = /usr/local/osmosix/nss
    nssModule = fips
  4. Execute the following commands to create and validate the NSS database creation.

    When you run certutil, it prompts you for a new password. You can only use the specific password provide by Cisco. Contact the CloudCenter Support team to obtain the password.

    mkdir -p /usr/local/osmosix/nss
    cd /usr/local/osmosix/nss
    
    certutil -N -d .
    
    modutil -fips true -dbdir .
    certutil -L -d .
  5. Verify if the folder ownership is correct for the NSS database folder.

    chown -R cliqruser:cliqruser /usr/local/osmosix/nss
  6. Add an entry in the mgmtserver.conf file.

    vi /usr/local/osmosix/conf/mgmtserver.conf
    
    #Add the following entry after JAVA_OPTS line
    export SPRING_PROFILES_ACTIVE=encryption_nss_fips
  7. Restart the CCM server.

    root> systemctl stop ccm
    root> systemctl start ccm
  8. Log in as a System Admin using valid credentials. Contact the CloudCenter Support team to obtain the default and new SysAdmin credentials.

    See Admin Users for additional context on this user.


    1. Contact the CloudCenter Support team to obtain the SysAdmin credentials.

    2. Login using the default SysAdmin credentials provided by the CloudCenter Support team.

    3. Navigate to Crypto Services accordion.

    4. Click Change Password.

    5. Enter the new password provided by the CloudCenter Support team.

    6. Logout as SysAdmin.

    7. Login to CCM as a tenant admin.

  9. Each time you restart the CCM service, you must repeat the steps where you login as SysAdmin and enter the Crypto Services password before you can login as tenant admin.

You have now configured FIPs in a CCM server using the Option 1 method.

Option 2: Enable FIPs on an Existing CCM Server

Verify that you have already configured your OS to enable FIPS as per your OS documentation.

To enable FIPs on an existing CCM server, follow this process.

  1. Verify if FIPS is enabled at the OS level by running the following command.

    sysctl crypto.fips_enabled
    
    # The response to this command should return 1
  2. Edit the NSS configuration.

    vi $JAVA_HOME/jre/lib/security/nss.cfg
    Change the entries to
    
    name = NSS
    nssLibraryDirectory = /usr/lib64/
    nssSecmodDirectory = /usr/local/osmosix/nss
    nssModule = fips
  3. Execute the following commands to create and validate the NSS database creation.

    When you run certutil, it prompts you for a new password. You can only use the specific password provide by Cisco. Contact the CloudCenter Support team to obtain the password.

    mkdir -p /usr/local/osmosix/nss
    cd /usr/local/osmosix/nss
    
    certutil -N -d .
    
    modutil -fips true -dbdir .
    certutil -L -d .
  4. Verify if the folder ownership is correct for the NSS database folder.

    chown -R cliqruser:cliqruser /usr/local/osmosix/nss
  5. Add an entry in the mgmtserver.conf file.

    vi /usr/local/osmosix/conf/mgmtserver.conf
    
    #Add the following entry after JAVA_OPTS line
    export SPRING_PROFILES_ACTIVE=encryption_nss_fips
  6. Restart the CCM server.

    root> systemctl stop ccm
    root> systemctl start ccm
  7. Log in as a System Admin using valid credentials. Contact the CloudCenter Support team to obtain the default and new SysAdmin credentials.

    See Admin Users for additional context on this user.


    1. Contact the CloudCenter Support team to obtain the SysAdmin credentials.

    2. Login using the default SysAdmin credentials provided by the CloudCenter Support team.

    3. Navigate to the Crypto Services section.

    4. Click Change Password.

    5. Enter the new password provided by the CloudCenter Support team.

    6. Logout as SysAdmin.

    7. Login to CCM as a tenant admin.

  8. Each time you restart the CCM service, you must repeat the steps where you login as SysAdmin and enter the Crypto Services password before you can login as tenant admin.

You have now configured FIPs in a CCM server using the Option 2 method.

  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved