Symantec Security Information Manager FIPS Operational Mode Guide

Similar documents
Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Red Hat Enterprise Linux 5

IM: Symantec Security Information Manager Patch 4 Resolved Issues

Symantec Enterprise Security Manager Baseline Policy Manual for Security Essentials. Solaris 10

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. AIX 5.3 and 6.1

Veritas Storage Foundation and High Availability Solutions Getting Started Guide

Veritas CommandCentral Enterprise Reporter Release Notes

Symantec Enterprise Security Manager Modules for Oracle Release Notes

Veritas Storage Foundation and High Availability Solutions Getting Started Guide

Veritas Cluster Server Application Note: High Availability for BlackBerry Enterprise Server

Symantec NetBackup Vault Operator's Guide

Symantec Workflow Solution 7.1 MP1 Installation and Configuration Guide

Symantec Encryption Management Server and Symantec Data Loss Prevention. Integration Guide

Security Content Update Release Notes for CCS 12.x

Configuring Symantec. device

Configuring Symantec Protection Engine for Network Attached Storage for Hitachi Unified and NAS Platforms

Altiris Software Management Solution 7.1 from Symantec User Guide

Symantec ServiceDesk 7.1 SP1 Implementation Guide

Symantec Enterprise Security Manager IBM DB2 Modules User Guide for Windows and UNIX. Version 4.2

Symantec Enterprise Security Manager IBM DB2 Modules User Guide for Windows and UNIX. Version 4.6

Altiris Client Management Suite 7.1 from Symantec User Guide

Symantec Enterprise Vault Technical Note

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

Configuring Symantec AntiVirus for BlueArc Storage System

Symantec NetBackup Appliance Fibre Channel Guide

Veritas Operations Manager Storage Insight Add-on for Deep Array Discovery and Mapping 4.0 User's Guide

Veritas Dynamic Multi-Pathing readme

Veritas Desktop and Laptop Option 9.2. Disaster Recovery Scenarios

PGP Viewer for ios. Administrator s Guide 1.0

Symantec NetBackup for Lotus Notes Administrator's Guide. Release 7.6

Symantec ApplicationHA Release Notes

Veritas Storage Foundation and High Availability Solutions HA and Disaster Recovery Solutions Guide for Microsoft SharePoint Server

Veritas System Recovery 18 Linux Edition: Quick Installation Guide

Veritas Desktop and Laptop Option 9.2. High Availability (HA) with DLO

Symantec NetBackup for Enterprise Vault Agent Administrator's Guide

PGP Viewer for ios. User s Guide 1.0

NetBackup Copilot for Oracle Configuration Guide. Release 2.7.1

Symantec Enterprise Security Manager Modules for Microsoft SQL Server Databases Release Notes. Release 2.1 for Symantec ESM 6.0, 6.1, and 6.5.

Symantec Enterprise Security Manager JRE Vulnerability Fix Update Guide

Altiris IT Analytics Solution 7.1 from Symantec User Guide

Symantec PGP Viewer for ios

Symantec Enterprise Vault Technical Note

Symantec Backup Exec System Recovery Granular Restore Option User's Guide

Veritas Cluster Server Library Management Pack Guide for Microsoft System Center Operations Manager 2007

Symantec Enterprise Vault

Veritas Storage Foundation and High Availability Solutions Application Note: Support for HP-UX Integrity Virtual Machines

Veritas System Recovery 18 Management Solution Administrator's Guide

Veritas NetBackup Copilot for Oracle Configuration Guide. Release 2.7.2

Symantec Enterprise Vault Technical Note

Symantec Control Compliance Suite Express Security Content Update for Microsoft Windows Server 2008 R2 (CIS Benchmark 2.1.

Symantec NetBackup OpsCenter Reporting Guide. Release 7.7

Veritas Storage Foundation and High Availability Solutions Getting Started Guide - Linux

Symantec ApplicationHA Agent for Microsoft Internet Information Services (IIS) Configuration Guide

Symantec Encryption Desktop Version 10.2 for Mac OS X Release Notes. About Symantec Encryption Desktop

Security Content Update Release Notes. Versions: CCS 11.1 and CCS 11.5

Veritas SaaS Backup for Office 365

Veritas Disaster Recovery Advisor Release Notes

Symantec Endpoint Encryption Full Disk Maintenance Pack Release Notes

Veritas SaaS Backup for Salesforce

Symantec NetBackup for Enterprise Vault Agent Administrator's Guide

Veritas Backup Exec Migration Assistant

Symantec Mobile Management 7.1 Implementation Guide

Symantec ApplicationHA Agent for Microsoft SQL Server 2008 and 2008 R2 Configuration Guide

Symantec Control Compliance Suite Express Security Content Update for JBoss Enterprise Application Platform 6.3. Release Notes

Veritas System Recovery 16 Management Solution Administrator's Guide

PGP(TM) Universal Server Version 3.2 Maintenance Pack Release Notes

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

Symantec System Recovery 2013 R2 Management Solution Administrator's Guide

Veritas Dynamic Multi-Pathing for Windows Release Notes

Symantec Disaster Recovery Advisor Release Notes

Symantec Data Loss Prevention System Maintenance Guide. Version 14.0

VeriSign Managed PKI for SSL and Symantec Protection Center Integration Guide

Symantec Corporation NetBackup for Microsoft Exchange Server Administrator s Guide

Symantec Universal Event Collectors 4.4 for Symantec Security Information Manager 4.7 Implementation Guide

Veritas Storage Foundation Add-on for Storage Provisioning User's Guide. 4.0 Release Update 1

Altiris PC Transplant 6.8 SP4 from Symantec User Guide

Symantec ServiceDesk 7.1 SP2 Portal User Guide

Symantec Enterprise Security Manager Patch Policy Release Notes

Wise Mobile Device Package Editor Reference

Veritas Storage Foundation and High Availability Solutions Application Note: Support for HP-UX Integrity Virtual Machines

PGP(TM) Universal Server Version 3.2 Maintenance Pack Release Notes

Veritas NetBackup for SQLite Administrator's Guide

Symantec NetBackup for Microsoft Exchange Server Administrator s Guide

PGP Desktop Version 10.2 for Windows Maintenance Pack Release Notes

Symantec Enterprise Security Manager Modules for IBM DB2 Databases (Windows) User s Guide 3.0. Release for Symantec ESM 6.5.x and 9.

Veritas Storage Foundation and High Availability Solutions HA and Disaster Recovery Solutions Guide for Enterprise Vault

Symantec Enterprise Security Manager Patch Policy Release Notes

Security Content Update Release Notes. Versions: CCS 11.1.x and CCS 11.5.x

Symantec Enterprise Vault

Symantec NetBackup for DB2 Administrator's Guide

Symantec Enterprise Security Manager Patch Policy Release Notes

Symantec NetBackup OpsCenter 7.6 Performance

Symantec Patch Management Solution for Windows 8.5 powered by Altiris technology User Guide

Symantec NetBackup PureDisk Storage Pool Installation Guide

Veritas Storage Foundation and High Availability Solutions Microsoft Clustering Solutions Guide for Microsoft Exchange 2007

Veritas NetBackup Appliance Security Guide

Partner Information. Integration Overview. Remote Access Integration Architecture

Veritas Enterprise Vault. NSF Migration

Symantec Enterprise Security Manager Patch Policy Release Notes

Veritas Desktop and Laptop Option 9.3 README

Symantec Protection Engine for Cloud Services 7.9 Sizing Guide

Transcription:

Symantec Security Information Manager 4.7.3 FIPS 140-2 Operational Mode Guide

Symantec Security Information Manager 4.7.3 FIPS 140-2 Operational Mode Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: 1.0 Legal Notice Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our Web site at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level

Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Licensing and registration Customer service Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/ Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com

Contents Technical Support... 4 Chapter 1 Introduction... 9 Terms and definitions... 9 Overview... 10 Chapter 2 Configuration... 11 Configuring SSIM components... 11 SSIM HTTPD Web server... 11 SSIM LDAP server... 12 SSIM SSH server... 13 Symantec Event Agent... 13 Client user interface... 15 Server-side Java services and tools... 16 Cryptographic modules... 17 Chapter 3 Archive Integrity... 19 Configuring and verifying the archive integrity... 19

8 Contents

Chapter 1 Introduction This chapter includes the following topics: Terms and definitions Overview Terms and definitions The following acronyms are used in the guide: SSIM SSL TLS HTTPS LDAPS SSH FIPS 140-2 NIST NSS Symantec Security Information Manager. Also known as Information Manager. Secure Sockets Layer, a protocol that is used for secure client-server communication Transport Layer Security, an advanced version of SSL HTTP over SSL LDAP over SSL Secure Shell, a protocol that is used for secure remote shell connections Federal Information Processing Standards 140-2, a standard for usage of cryptographic functionality National Institute of Standards and Technology, a US Federal standards body that defines the FIPS 140-2 standard Network Security Services

10 Introduction Overview Overview The objective of this document is to describe in detail how the Federal Information Processing Standard (FIPS) operational mode is achieved for SSIM 4.7.3. SSIM 4.7.3 adds to the ability of the product to run in a FIPS operational mode. Information Manager components use cryptographic services such as SSL communication and digital signatures from one or more cryptographic provider modules. To achieve FIPS operational mode, these components are configured to use a cryptographic provider that is either validated for FIPS 140-2 Level 1, or is in the FIPS 140-2 Level 1 validation process. The cryptographic boundary relevant to FIPS 140-2 Level 1 validation for SSIM encompasses the following components: SSIM HTTPD Web server The SSIM LDAP server OpenSSL/OpenSSH software on the Information Manager server Symantec Event Agent Information Manager client user interface Various Java services and tools available on the Information Manager server The sections in the guide describe the relevant details that enable each of the components to run in FIPS mode. The document specifies the cryptographic module that each component uses. If the module is validated for FIPS 140-2, the relevant certificate number on the NIST site is provided. If the module is currently in the validation process, it is mentioned in the guide. Any configuration changes that are to be made to turn on the FIPS mode in the component are described. Information Manager has flat file archives, and these files have integrity hashes and digital signatures generated to establish their integrity. Since the Information Manager server now uses a FIPS 140-2 validated cryptographic provider, the message digest and digital signature algorithms that are used for this purpose can be obtained from the FIPS-validated cryptographic provider. This document also covers the configuration change necessary to enable FIPS-compliant archive file signing and hashing.

Chapter 2 Configuration This chapter includes the following topics: Configuring SSIM components Configuring SSIM components SSIM HTTPD Web server The following sections describe the relevant configuration and cryptographic module details that enable SSIM components to run in the FIPS operational mode. The Information Manager server uses the IBM HTTPD Server version 6.1 as a Web server to serve requests from browsers as well as the Client UI and Java services from other Information Manager servers. With respect to SSL/TLS connections, the HTTPD server forms the server end of any connection. Remote SSIM components, such as the client user interface or services from other Information Manager servers, communicate with the HTTPD server using the HTTPS protocol. The SSL protocol is implemented by the IBM Global Secure Kit version 7.0.14 that is installed as a part of the IBM HTTPD server. IBM Global Secure Kit uses the IBM Crypto C provider version 1.4.5 for all its cryptographic operations. This cryptographic module is validated for FIPS 140-2 Level 1. The certificate number for this module is 775 on the list of validated FIPS 140-2 modules that the NIST publishes. See http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140val-all.htm The FIPS mode of operation can be turned off for the Information Manager Web server. This capability was introduced because some Web browsers do not have TLS enabled by default. The FIPS operational mode is turned off by default on the Information Manager Web server to ensure that the Web UI can be opened for

12 Configuration Configuring SSIM components such cases. To turn on the FIPS mode, you can run a script on the Information Manager server. The Web server is restarted after running the commands to turn the FIPS mode on or off. Note: When the FIPS mode is turned on, the Web browser must have the TLS protocol enabled to access the Web UI. To turn on FIPS mode 1 Log on as root to the Information Manager server for which you need to turn on the FIPS mode on the Web server. 2 Run the following command: /opt/symantec/simserver/bin/set_fips_mode.sh --on To turn off FIPS mode 1 Log on as root to the Information Manager server for which you need to turn off the FIPS mode on the Web server. 2 Run the following command: /opt/symantec/simserver/bin/set_fips_mode.sh --off SSIM LDAP server The SSIM server uses the IBM Tivoli Directory Server version 6.1 as the LDAP server. The LDAP server is used as a repository of configuration data such as rules, queries, reports, multi-appliance environment information, collector configurations, sensor configurations, SSIM users, SSIM groups, SSIM roles, and so on. Other SSIM services communicate with the LDAP server using the LDAPS protocol to perform queries and updates to configuration data. The SSL protocol is implemented by the IBM Global Secure Kit version 7.0.14 that is installed as a part of the IBM Tivoli Directory Server. IBM Global Secure Kit uses the IBM Crypto C provider version 1.4.5 for all its cryptographic operations. This cryptographic module is validated for FIPS 140-2 Level 1. The certificate number for this module is 775 on the list of Validated FIPS 140-2 modules that the NIST publishes. See http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140val-all.htm The FIPS mode is always turned on for the SSIM LDAP server through a configuration option in the LDAP configuration. The configuration option is not exposed to the user. The FIPS mode cannot be changed for the LDAP server.

Configuration Configuring SSIM components 13 SSIM SSH server The SSIM server is installed along with a base Linux operating system on supported hardware. Administration of the server sometimes requires the administrator to log on to the Information Manager server box and perform some actions from the operating system shell. Information Manager uses the OpenSSH software version 5.5p1 to provide access to the server through a Secure Shell. Every Information Manager server has the OpenSSH server and client packages that are installed for Secure Shell access. The OpenSSH software uses the Symantec Cryptographic module shared library for its cryptographic operations internally. The Symantec Cryptographic module is currently in the FIPS 140-2 Level 1 validation process. See http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140inprocess.pdf. The OpenSSH client and server are configured to use only the FIPS approved cryptographic algorithms on the Information Manager server. Table 2-1 lists the algorithms types and the configured FIPS approved algorithms for the SSH client and server along with the configuration file name. Table 2-1 Configured cryptographic algorithms for SSH client and server Component Config file Algorithm type Configured algorithms SSH client (SSH, SCP) /etc/ssh/ssh_config Cipher aes128-cbc, aes256-cbc, 3des-cbc SSH client (SSH, SCP) /etc/ssh/ssh_config Message Authentication Code (MAC) hmac-sha1 SSH server (SSHD) /etc/ssh/sshd_config Cipher aes128-cbc, aes256-cbc, 3des-cbc SSH server (SSHD) /etc/ssh/sshd_config Message Authentication Code (MAC) hmac-sha1 Symantec Event Agent FIPS mode of operation is available for Symantec Event Agent starting from version 4.7.1, which is released along with Symantec Security Information Manager 4.7.3. The Symantec Event Agent is a Java process that receives events from installed event collectors and sends them to a configured Information Manager server. The

14 Configuration Configuring SSIM components agent communicates with an Information Manager server to retrieve or update configurations, receive commands from the server, and forward events. For receiving commands and retrieving or updating configurations, it communicates with the Information Manager server using the HTTPS protocol. For event forwarding, the agent may be configured to use HTTPS or plain TCP to communicate with the server. In the case of SSL/TLS communication, the agent acts as the client end of a connection. Symantec Event Agents are supported on Windows, Linux, and Solaris operating systems. For more information about supported platforms and operating systems for Symantec Event Agent, refer to the Symantec Event Agent 4.7 Implementation Guide. The Symantec Event Agent uses Java s internal SSL/TLS implementation for its communication with the Information Manager server. The internal implementation is called SunJSSE, which implements the Java Secure Socket Extensions framework for SSL/TLS communication. During the agent s SSL initialization, the SunJSSE is configured to use its internal SunPKCS11 wrapper cryptographic provider for all its cryptographic operations. The SunPKCS11 provider uses the FIPS 140-2 validated NSS 3.12.4 cryptographic libraries internally. The NSS 3.12.4 cryptographic libraries are the native libraries that are installed appropriately for the supported Agent platforms. The relevant NSS 3.12.4 library is bundled as a part of the Solaris, Windows, and Linux Agent installers. During installation and startup of the Agent, the NSS secmod database is configured to run in the FIPS mode. For details on NSS 3.12.4 providers and their associated NIST FIPS certificate numbers, see http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140val-all.htm By default, the Symantec Event Agent uses the validated FIPS NSS libraries to run in the FIPS operational mode. The configuration is not exposed to the end user, so it cannot be changed. The agent configures a limited set of SSL cipher suites that are to be negotiated during an SSL handshake at the time of its SSL initialization. The cipher suites are limited only to FIPS approved cipher suites. The protocol for communication is set to TLS 1.0. These configurations are not exposed to the user and cannot be changed. Table 2-2 lists the predefined SSL configuration that is done during initialization.

Configuration Configuring SSIM components 15 Table 2-2 Type Protocol Cipher Suites Predefined SSL configuration on the agent Configuration TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA Client user interface The Information Manager client user interface provides a console that Information Manager administrators can use to manage the configuration for its environment. It also provides an interface to security analysts for the management of assets, security incidents, queries, reports, tickets, and view intelligence data. The client user interface is a Java process supported over the Windows operating system. It communicates with the Information Manager server using the HTTPS protocol. In the case of SSL/TLS communication, the client user interface acts as the client end of an SSL/TLS connection. The Symantec Event Agent uses Java s internal SSL/TLS implementation for its communication with the Information Manager server. The internal implementation is called SunJSSE, which implements the Java Secure Socket Extensions framework for SSL/TLS communication. During the user interface s SSL initialization, SunJSSE is configured to use its internal SunPKCS11 wrapper cryptographic provider for all its cryptographic operations. The SunPKCS11 provider internally uses the FIPS 140-2 validated NSS 3.12.4 cryptographic libraries. The NSS 3.12.4 cryptographic libraries are the native libraries that are installed appropriately for the Windows Client user interface. The appropriate NSS 3.12.4 library is bundled as a part of the user interface installer. During Information Manager user interface installation and on its startup, the NSS secmod database is configured to run in the FIPS mode. The Information Manager Client user interface runs in the FIPS operational mode by default by using the FIPS-validated NSS libraries. This configuration is not exposed to the user and it cannot be changed. During its SSL initialization, the client user interface configures a limited set of SSL cipher suites that must be negotiated during an SSL handshake. The cipher suites are limited only to FIPS-approved cipher suites. Also the protocol for communication is set to TLS 1.0. These configurations are not exposed to the end-user and cannot be changed.

16 Configuration Configuring SSIM components Table 2-3 Type Protocol Cipher Suites Predefined SSL configuration on the client user interface Configuration TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA Server-side Java services and tools The Information Manager server is comprised of multiple Java processes known as services that together perform SSIM functions. The Java processes and tools must communicate with the SSIM LDAP server and the SSIM Web server for different tasks. In the case of SSL/TLS communication, the services and tools act as the client end of an SSL/TLS connection. The services and tools on the Information Manager server use Java s internal SSL/TLS implementation for its communication with the Information Manager server. The internal implementation is called SunJSSE, which implements the Java Secure Socket Extensions framework for SSL/TLS communication. During the user interface s SSL initialization, SunJSSE is configured to use its internal SunPKCS11 wrapper cryptographic provider for all its cryptographic operations. The SunPKCS11 provider internally uses the FIPS 140-2 validated NSS 3.12.4 cryptographic libraries. The NSS 3.12.4 cryptographic libraries are the native libraries that are installed appropriately for the Information Manager server. The Linux NSS 3.12.4 libraries are installed on the Information Manager server. During Information Manager Server installation and when the services start up, the NSS secmod database is configured to run in the FIPS mode. By default the services and tools on the Information Manager Server uses the FIPS-validated NSS libraries to run in FIPS operational mode. This configuration is not exposed to the user and it cannot be changed. During its SSL initialization, the services configure a limited set of SSL cipher suites that must be negotiated during an SSL handshake. The cipher suites are limited only to FIPS-approved cipher suites. Also, the protocol for communication is set to TLS 1.0. These configurations are not exposed to the user and cannot be changed. Table 2-4 Type Protocol Predefined SSL configuration on the Server Configuration TLS 1.0

Configuration Configuring SSIM components 17 Table 2-4 Type Cipher Suites Predefined SSL configuration on the Server (continued) Configuration TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA Cryptographic modules The Information Manager components use various cryptographic provider modules. Table 2-5 lists the various cryptographic provider modules that are used by the various components, the platforms for which they are installed, and the relevant FIPS 140-2 certificate number on the list of NIST FIPS 140-2 validated cryptographic modules. Table 2-5 Cryptographic modules used by various SSIM components SSIM Component Cryptographic Module and Version Platform/OS FIPS Validation Status FIPS Certificate Number SSIM Web server (IBM HTTPD 6.1) IBM Crypto C 1.4.5 Linux Validated 775 SSIM LDAP Server (IBM Tivoli Directory Server 6.2) IBM Crypto C 1.4.5 Linux Validated 775 SSIM SSH Server/Client Symantec Cryptographic module Linux In validation process NA SSIM Client UI NSS 3.12.4 Windows Validated 1278 SSIM Agent NSS 3.12.4 Windows Validated 1278 SSIM Agent NSS 3.12.4 Linux Validated 1280 SSIM Agent NSS 3.12.4 Solaris Validated 1279

18 Configuration Configuring SSIM components Table 2-5 Cryptographic modules used by various SSIM components (continued) SSIM Component Cryptographic Module and Version Platform/OS FIPS Validation Status FIPS Certificate Number SSIM Server (Services and Tools) NSS 3.12.4 Linux Validated 1280

Chapter 3 Archive Integrity This chapter includes the following topics: Configuring and verifying the archive integrity Configuring and verifying the archive integrity SSIM stores the events that it receives in an archive that is flat-file based. Each archive file can grow up to a certain configured maximum size, or until a configured time interval has passed. When one of these conditions is met, a new set of archive and index files is created and events are written to the new file. At the same time, a checksum is generated for the earlier set of archive files and is stored in a file with the same name as the archive file, and with the extension.key. A digital signature for the archive files is generated and stored in the same.key file. The archive checksum algorithm is configured as MD5 by default. With SSIM 4.7.3, the validated FIPS 140-2 NSS crypto module is also installed. You can also change the configuration so that a FIPS-approved algorithm is used to generate the checksum, and so that the FIPS-validated module is used. The configuration steps that are described ensure that the FIPS approved SHA-256 algorithm is used to generate the archive checksum, and the cryptographic module that is used is the validated FIPS 140-2 NSS module. Apart from SHA-256, you may specify other FIPS approved algorithms such as SHA-512, SHA, SHA-384, or SHA1. To change archive integrity configuration 1 Log on to the SSIM Server as root. 2 In the vi editor, open the following file: /opt/symantec/simserver/etc/event-service-startup.xml

20 Archive Integrity Configuring and verifying the archive integrity 3 Go to the line that reads as follows: <property name="algorithm" value="md5" /> 4 Replace MD5 with SHA-256, which is a FIPS-approved algorithm. 5 Save the file and exit vi. 6 Restart the event service using the following command: service sesevents restart

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback