IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Securing communications
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Enable FIPS for IBM Tivoli Monitoring
You must configure IBM Tivoli Monitoring components to enable the Federal Information Processing Standard (FIPS).
Procedure
Complete configuration on the following components:
- Monitor automation server
- Monitor server and monitoring agent
- Portal client
- Portal server
- tacmd command-line interface
- tivcmd command-line interface
- Warehouse database
Best Practice is to reconfigure any components after editing environment variables to ensure any changes are implemented.
If you are using Jazz for Service Management with IBM Tivoli Monitoring, see the Jazz for Service Management Installation Guide in the Jazz for Service Management Information Center for information on how to enable FIPS for its components.
Monitor automation server
- Edit the Tivoli Enterprise Monitoring Automation Server environment file:
Edit the KASENV file.
Edit the as.ini file on the computer where the automation server is installed.
Change or add the following environment variable:
KDEBE_FIPS_MODE_ENABLED=YES
- Restart the automation server to implement your changes.
Monitor server and monitoring agent configuration:
You can use the following instructions to also configure the Warehouse Proxy Agent and the Summarization and Pruning Agent.
- Edit the following environment files:
Edit the KBBENV file and the KXXENV file for each monitoring agent (where XX is your 2 letter product code).
Edit the ms.ini on the monitoring server, and *.ini for each monitoring agent.
Change or add the following environment variable:
KDEBE_FIPS_MODE_ENABLED=YES
If using autonomous agents, you must add the KDEBE_FIPS_MODE_ENABLED variable to your custom environment file.
For the Linux and UNIX OS agents, the KDEBE_FIPS_MODE_ENABLED variable has additional possible values. See the IBM Tivoli Monitoring Linux OS Agent Installation Guide and IBM Tivoli Monitoring UNIX OS Agent Installation Guide.
- Restart the monitoring server and each monitoring agent you edited to implement your changes.
Portal client configuration:
- For desktop clients, browser clients, and WebStart clients, configure the clients to communicate using HTTPS protocol. Follow the instructions in "Configuring HTTP communication between the portal client and server" in the IBM Tivoli Monitoring Installation and Setup Guide.
- For desktop clients, browser clients, and WebStart clients, edit the associated configuration file using the same method as described in "Configuring HTTP communication between the portal client and server" in the IBM Tivoli Monitoring Installation and Setup Guide.
- For desktop clients, your edits modify the cnp.bat file.
- For browser clients, your edits modify the applet.html file.
- For WebStart clients, your edits modify the tep.jnlpt file.
Add the following variables to each of the configuration files:
com.ibm.TEPS.FIPSMODE set to true
tep.sslcontext.protocol set to TLS
https.protocols set to TLS
- Edit the install_dir/CNP/cnp.bat file directly or through Manage Tivoli Enterprise Monitoring Services > Desktop Client > Advanced > Edit ENV.
Modify the _CMD line to include the following definition:
https.protocols set to TLS
- Restart each portal client to implement your changes.
Portal server configuration:
- Edit the Tivoli Enterprise Portal Server environment file on the computer where the portal server is installed.
Edit the KFWENV file.
Edit the cq.ini file.
Change or add the following environment variables:
KDEBE_FIPS_MODE_ENABLED=YES
KFW_FIPS_ENFORCED=YES
- Restart the portal server to implement your changes.
- Enable the TEPS/e administration console. See Start the TEPS/e administration console.
- Enable FIPS 140-2 mode by following the directions in the "Configuring WebSphere Application Server for SP800-131 standard strict mode" topic in the WebSphere Application Server V8.5 Information Center.
tacmd command-line interface configuration:
- Edit the <ITM_dir>\BIN\KUIENV file.
Change or add the following environment variables:
TEPS_FIPS_MODE=YES
KDEBE_FIPS_MODE_ENABLED=YES
- Edit the <ITM_dir>/bin/ tacmd shell script.
Change or add the following environment variables:
export TEPS_FIPS_MODE=YES
export KDEBE_FIPS_MODE_ENABLED=YES
tivcmd command-line interface configuration:
- Edit the <tivcmd_install_dir>\BIN\KDQENV file.
Change or add the following environment variables:
KDEBE_FIPS_MODE_ENABLED=YES
- Edit the <tivcmd_install_dir>/bin/tivcmd shell script.
Change or add the following environment variables:
export KDEBE_FIPS_MODE_ENABLED=YES
Warehouse database configuration:
Warehouse database configuration is specific to your installation and outside the scope of this configuration. You must configure your ODBC client to access the database server using TLS/SSL. Configuration links for running the database in FIPS 140-2 mode are listed below.
- MSSQL 2005
Refer to the following Microsoft knowledge base article for details on configuring Microsoft SQL Server to run in FIPS 140-2 mode. See http://support.microsoft.com/kb/920995.
- DB2 v9.1 Fix Pack 2+
For DB2 9.1 Fix Pack 2 and higher TLS/SSL connections are always in FIPS 140-2 mode. Refer to the following IBM support document for further details on configuring the TLS/SSL ODBC connection. See http://www-01.ibm.com/support/docview.wss?uid=swg21249656.
- Oracle
Refer to the following support document for configuring Oracle 10g (9.0.4) or later in FIPS 140-2 mode. See http://download.oracle.com/docs/cd/B14099_19/core.1012/b13999/fips.htm.
Results
You are now running a FIPS 140-2 Level 1 compliant configuration.
What to do next
When in FIPS 140-2 mode, Tivoli Management Services components and Tivoli Enterprise Monitoring Agents use one or more of these FIPS 140-2 approved cryptographic providers: IBMJCEFIPS (certificate 497), IBMJSSEFIPS (certificate 409), and IBM Crypto for C (ICC (certificate 775) for cryptography. The certificates are listed on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.
All IP.SPIPE connections and TLS/SSL-enabled LDAP connections utilize TLS 1.0 or higher protocol. TLS/SSL must be enabled between the Tivoli Enterprise Portal client and the Tivoli Enterprise Portal Server, and is described in the "Using SSL between the portal server and the client" topic in the IBM Tivoli Monitoring Installation and Setup Guide. Failure to enable TLS/SSL might expose credentials.
Enable IP.SPIPE between all IBM Tivoli Monitoring components to preserve integrity and confidentiality of data using FIPS 140-2 compliant cryptography. Certificates used in IP.SPIPE communication require NIST and FIPS prescribed cryptographic strength. For detailed information on how to replace cryptographic certificates, see the various topics in Securing communications. If your environment uses the provided GSKit utilities, the -fips flag must be included in all operations. Refer to your local security administrator or to the NIST website for more details on FIPS 140-2 compliance.
Parent topic:
Securing communicationsRelated reference:
http://www-01.ibm.com/software/sysmgmt/products/support/IBMTivoliMonitoring.html
http://csrc.nist.gov/