CloudCenter 4.8 has reached End of Life (EOL) as of November 14, 2018. See End of Support Notices for additional context.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: DOC-513 and Vel

...

The Federal Information Processing Standard (FIPS) 140-2 is an U.S.and Canadian government certification standard for use in computer systems. To enable this mode in an operating systems, refer to your operating system documentation.

To configure FIPS support on the CCM, you must satisfy two conditions:

  • Enable FIPS at the OS level on the CCM
  • Use a brand new CloudCenter environment – You cannot enable FIPS support on an existing CloudCenter environment.

This section provides details on how to configure FIPs in the context of the CCM server.

...

To install CCM on a system that already has FIPs enabled, follow this process.

  1. Verify if FIPS is enabled at the OS level by running the following command.

    Code Block
    sysctl crypto.fips_enabled
    
    # The response to this command should return 1
  2. Install CCM (see CCM (Required) for procedural details.

    Tip

    This is the only additional step and the difference between using both options!

  3. Edit the NSS configuration.

    Code Block
    vi $JAVA_HOME/jre/lib/security/nss.cfg
    Change the entries to
    
    name = NSS
    nssLibraryDirectory = /usr/lib64/
    nssSecmodDirectory = /usr/local/osmosix/nss
    nssModule = fips
  4. Execute the following commands to create and validate the NSS database creation.

    Info

    When you run certutil, it prompts you for a new password. You can only use the specific password provide by Cisco. Contact the CloudCenter Support team to obtain the password.

    Code Block
    mkdir -p /usr/local/osmosix/nss
    cd /usr/local/osmosix/nss
    
    certutil -N -d .
    
    modutil -fips true -dbdir .
    certutil -L -d .
  5. Verify if the folder ownership is correct for the NSS database folder.

    Code Block
    chown -R cliqruser:cliqruser /usr/local/osmosix/nss
  6. Add an entry in the mgmtserver.conf file.

    Code Block
    vi /usr/local/osmosix/conf/mgmtserver.conf
    
    #Add the following entry after JAVA_OPTS line
    export SPRING_PROFILES_ACTIVE=encryption_nss_fips
  7. Restart the CCM server.

    Code Block
    root> systemctl stop ccm
    root> systemctl start ccm
  8. Log in as a System Admin using valid credentials. Contact the CloudCenter Support team to obtain the default and new SysAdmin credentials.

    Info

    See Admin Users for additional context on this user.


    1. Contact the CloudCenter Support team to obtain the SysAdmin credentials.

    2. Login using the default SysAdmin credentials provided by the CloudCenter Support team.

    3. Navigate to Crypto Services accordion.

    4. Click Change Password.

    5. Enter the new password provided by the CloudCenter Support team.

    6. Logout as SysAdmin.

    7. Login to CCM as a tenant admin.

  9. Each time you restart the CCM service, you must repeat the steps where you login as SysAdmin and enter the Crypto Services password before you can login as tenant admin.

You have now configured FIPs in a CCM server using the Option 1 method.

Option 2: Enable FIPs on an Existing CCM Server

...

To enable FIPs on an existing CCM server, follow this process.

  1. Verify if FIPS is enabled at the OS level by running the following command.

    Code Block
    sysctl crypto.fips_enabled
    
    # The response to this command should return 1
  2. Edit the NSS configuration.

    Code Block
    vi $JAVA_HOME/jre/lib/security/nss.cfg
    Change the entries to
    
    name = NSS
    nssLibraryDirectory = /usr/lib64/
    nssSecmodDirectory = /usr/local/osmosix/nss
    nssModule = fips
  3. Execute the following commands to create and validate the NSS database creation.

    Info

    When you run certutil, it prompts you for a new password. You can only use the specific password provide by Cisco. Contact the CloudCenter Support team to obtain the password.

    Code Block
    mkdir -p /usr/local/osmosix/nss
    cd /usr/local/osmosix/nss
    
    certutil -N -d .
    
    modutil -fips true -dbdir .
    certutil -L -d .
  4. Verify if the folder ownership is correct for the NSS database folder.

    Code Block
    chown -R cliqruser:cliqruser /usr/local/osmosix/nss
  5. Add an entry in the mgmtserver.conf file.

    Code Block
    vi /usr/local/osmosix/conf/mgmtserver.conf
    
    #Add the following entry after JAVA_OPTS line
    export SPRING_PROFILES_ACTIVE=encryption_nss_fips
  6. Restart the CCM server.

    Code Block
    root> systemctl stop ccm
    root> systemctl start ccm
  7. Log in as a System Admin using valid credentials. Contact the CloudCenter Support team to obtain the default and new SysAdmin credentials.

    Info

    See Admin Users for additional context on this user.


    1. Contact the CloudCenter Support team to obtain the SysAdmin credentials.

    2. Login using the default SysAdmin credentials provided by the CloudCenter Support team.

    3. Navigate to the Crypto Services section.

    4. Click Change Password.

    5. Enter the new password provided by the CloudCenter Support team.

    6. Logout as SysAdmin.

    7. Login to CCM as a tenant admin.

  8. Each time you restart the CCM service, you must repeat the steps where you login as SysAdmin and enter the Crypto Services password before you can login as tenant admin.

You have now configured FIPs in a CCM server using the Option 2 method.


© 2017-2019 Cisco Systems, Inc. All rights reserved