IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Securing communications

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2


Enable SP800-131a for IBM Tivoli Monitoring

The National Institute of Standards and Technology (NIST) Special Publications (SP) 800-131a standard strengthens algorithms and increases the key lengths to improve security. To enable SP800-131a you must configure IBM Tivoli Monitoring components individually.


SP800-131a mode for IBM Tivoli Monitoring has the following properties:

In IBM Tivoli Monitoring Version 6.3 Fix Pack 2, the generated self-signed certificates comply to the standards mentioned in this section by default.


Procedure

Complete configuration on the following components in the order listed if applicable:

Best Practice is to reconfigure any components after editing environment variables to ensure any changes are implemented.

Monitor server and monitoring agent configuration:

You can use the following instructions to also configure the Warehouse Proxy Agent and the Summarization and Pruning Agent.

  1. Edit the following environment files:

    In the Manage Tivoli Enterprise Monitoring Services window, right-click the component and click Advanced → Edit Variables. Alternatively, you can edit the KBBENV file and the KXXENV file for each monitoring agent (where XX is your 2 letter product code) directly.

    Edit the ms.ini on the monitoring server, and *.ini for each monitoring agent.

    Change or add the following environment variable:

    KDEBE_FIPS_MODE_ENABLED=SP800-131a

    If using autonomous agents, you must add the KDEBE_FIPS_MODE_ENABLED variable to your custom environment file.

  2. Restart the monitoring server and each monitoring agent you edited to implement your changes.

z/OS AT-TLS configuration:

In z/OS environments, configuring SP800-131a for IP.SPIPE connections requires configuring the Application Transparent Transport Layer Security (AT-TLS) policy. TLSv1.2 protocol is available with z/OS 2.1. TLSv1.2 is also available with z/OS 1.13, but you must apply the following APARs to your system:

If a secure protocol (SPIPE or HTTPS) is used between monitoring agents and monitoring servers on z/OS, AT-TLS must be configured and running. To configure AT-TLS, an authorized system programmer must create a policy for AT-TLS. A security administrator (RACF or ACF2) must grant permission to the policy that defines the authentication certificate that is used in the TLS protocol.

If z/OS components communicate with monitoring servers on a distributed operating system, or a distributed component, such as the Tivoli Enterprise Portal Server, communicates with a z/OS hub monitoring server, the AT-TLS policy must match the policy that is created for the distributed component by GSKIT.

To configure SP800-131a complete the following tasks:

  1. ICSF must be enabled and started on the monitoring server and agent-only runtime environments (RTE). See Configure the Tivoli Enterprise Monitoring Server on z/OS.

  2. Configure your z/OS monitoring server and monitoring agents to use IP.SPIPE communications. See Configure the Tivoli Enterprise Monitoring Server on z/OS.

  3. Configure an AT-TLS policy to restrict to TLSv1.2.

    See the Communications Server IP Configuration Guide in the Communication Server Information Center for further reference.

    The following is an example of an AT-TLS policy for SP800-131a:

      TTLSGroupAction             group_action0
      {
        TTLSEnabled               ON  
      }
      TTLSEnvironmentAction       environment_action0
      {
        TTLSKeyRingParms
        {
          Keyring                 /etc/itm/at-tls/keyring.db
          keyringPw               itm
          keyringStashFile        /etc/itm/at-tls/keyring.sth
        }
        HandshakeRole             Client 
        TTLSEnvironmentAdvancedParms
        {
         SSLv2 Off
         SSLv3 Off
         TLSv1 Off
         TLSv1.1 Off
         TLSv1.2 On  
         FIPS140 On
         CertificateLabel IBM_Tivoli_Monitoring_Encryption_Key
        }
          TTLSSignatureParmsRef
        {
            ## TLS_SIGALG_SHA224_WITH_RSA  
          SignaturePair 0301
            ## TLS_SIGALG_SHA224_WITH_ECDSA
          SignaturePair 0303
            ## TLS_SIGALG_SHA256_WITH_RSA
          SignaturePair 0401
            ## TLS_SIGALG_SHA256_WITH_ECDSA  
          SignaturePair 0403
            ## TLS_SIGALG_SHA384_WITH_RSA
          SignaturePair 0501
            ## TLS_SIGALG_SHA384_WITH_ECDSA
          SignaturePair 0503
            ## TLS_SIGALG_SHA512_WITH_RSA
          SignaturePair 0601
            ## TLS_SIGALG_SHA512_WITH_ECDSA
          SignaturePair 0603
         }
      }

Portal server configuration:

  1. Enable TLS/SSL for all Tivoli Enterprise Portal clients. For detailed steps, see "Using SSL between the portal server and the client" in the IBM Tivoli Monitoring Installation and Setup Guide.

  2. Edit the Tivoli Enterprise Portal Server environment file on the computer where the portal server is installed.

    In the Manage Tivoli Enterprise Monitoring Services window, right-click the component and click Advanced → Edit Variables. Alternatively, you can edit the KFWENV file directly.

    Edit the cq.ini file.

    Change or add the following environment variables:

    KDEBE_FIPS_MODE_ENABLED=SP800-131a
    KFW_FIPS_ENFORCED=YES

  3. Restart the portal server to implement your changes.

  4. Enable SP800-131 Transistion mode in the TEPS/e administration console.

    1. Follow the instructions in Start the TEPS/e administration console.

    2. Click Security → SSL certificate and key management → Manage FIPS.

    3. If you have not imported compliant certificates, select Convert Certificates. When converting the certificates, select Algorithm Strict and then select SHA256WithRSA or another algorithm. If you select an ECDSA Certificate algorithm, then all browsers and clients (including the Dashboard Application Services Hub servers) connecting to the WebSphere Server must support TLSv1.2 and Elliptic Curve Certificates.

      You must accept the new certificate using the WebSphere command line utilities. Run one of the following commands, and then when prompted, accept the certificate:

      updateTEPSEPass.bat wasadmin <password>

      updateTEPSEPass.sh wasadmin <password>

    4. Select Enable SP800-131 , Transistion, and Update SSL configurations to require TLSv1.2.

      Note: Once you apply and then save your changes to the master file for WebSphere, you might need to reconnect to the WebSphere console if you are logged out, since the new certificate and algorithms take effect immediately.

    5. Update the ssl.client.props file to allow administration of WebSphere.

      install_dir\CNPSJ\profiles\ITMProfile\properties\ssl.client.props

      install_dir/arch/iw/profiles/ITMProfile/properties/ssl.client.props

      Once the server is configured for SP800-131 transition mode, the ssl.client.props file must be modified so that the administrative client can communicate with the WebSphere server running in SP800-131 mode. They are not able to make a TLSv1.2 connection to the server without the change. Edit the ssl.client.props file by completing the following steps:

      1. Modify com.ibm.security.useFIPS to be set to true.

      2. Add com.ibm.websphere.security.FIPSLevel=SP800-131 directly beneath the useFips property.

      3. Change the com.ibm.ssl.protocol property to TLSv1.2. Note: The com.ibm.ssl.protocol property is further down in the file than the first two properties.

    For further instruction, see "Transitioning WebSphere Application Server to the SP800-131 security standard" in the WebSphere Application Server V8.5 Information Center.

  5. Synchronize certificates between the IBM HTTP Server and the portal server. Import the new WebSphere certificates into the IBM Tivoli Monitoring key repository. For detailed steps, see Import the TEPS/e certificates into the portal server keyfile database.

  6. Update the IBM HTTP Server acceptable protocols. On the computer where the portal server is installed edit the httpd.conf file to update the virtualhost for port 15201 to include:

    In the following examples, the SSLAttributeSet information is entered on one line.

    install_dir\IHS\CONF

      <VirtualHost *:15201>
         DocumentRoot "<ITM_HOME>/CNB"
         SSLEnable
         SSLProtocolDisable SSLv2
         SSLProtocolDisable SSLv3
         SSLProtocolEnable TLSv10
         SSLProtocolDisable TLSv11
         SSLProtocolEnable TLSv12
         SSLFIPSEnable
         SSLAttributeSet 245 "GSK_TLS_SIGALG_RSA_WITH_SHA224, GSK_TLS_SIGALG_RSA_WITH_SHA256,GSK_TLS_SIGALG_RSA_WITH_SHA384, GSK_TLS_SIGALG_RSA_WITH_SHA512,GSK_TLS_SIGALG_ECDSA_WITH_SHA224, GSK_TLS_SIGALG_ECDSA_WITH_SHA256,GSK_TLS_SIGALG_ECDSA_WITH_SHA384, GSK_TLS_SIGALG_ECDSA_WITH_SHA512" BUFF
        
        SSLServerCert IBM_Tivoli_Monitoring_Certificate
         ErrorLog "<ITH_HOME>/IHS/logs/sslerror.log"
         TransferLog "<ITM_HOME>/IHS/logs/sslaccess.log"
         KeyFile "<ITM_HOME>/keyfiles/keyfile.kdb"
         SSLStashfile "<ITM_HOME>/keyfiles/keyfile.sth"
      </VirtualHost>

    install_dir/arch/iu/ihs/HTTPServer/conf

      <VirtualHost *:15201>
         DocumentRoot "<ITM_HOME>/<arch>/cw/"
         SSLEnable
         SSLProtocolDisable SSLv2
         SSLProtocolDisable SSLv3
         SSLProtocolEnable TLSv10
         SSLProtocolDisable TLSv11
         SSLProtocolEnable TLSv12
         SSLFIPSEnable
         SSLAttributeSet 245 "GSK_TLS_SIGALG_RSA_WITH_SHA224, GSK_TLS_SIGALG_RSA_WITH_SHA256,GSK_TLS_SIGALG_RSA_WITH_SHA384, GSK_TLS_SIGALG_RSA_WITH_SHA512,GSK_TLS_SIGALG_ECDSA_WITH_SHA224, GSK_TLS_SIGALG_ECDSA_WITH_SHA256,GSK_TLS_SIGALG_ECDSA_WITH_SHA384, GSK_TLS_SIGALG_ECDSA_WITH_SHA512" BUFF
        
        SSLServerCert IBM_Tivoli_Monitoring_Certificate
         ErrorLog "<ITM_HOME>/<arch>/iu/ihs/HTTPServer/logs/sslerror.log"
         TransferLog "<ITM_HOME>/<arch>/iu/ihs/HTTPServer/logs/sslaccess.log"
         KeyFile "<ITM_HOME>/keyfiles/keyfile.kdb"
         SSLStashfile "<ITM_HOME>/keyfiles/keyfile.sth"
      </VirtualHost>

  7. Update the HTTP plugin.

    install_dir\IHSPlugins\config\ITMWebServer\plugin-cfg.xml

    install_dir/arch/iu/ihs/Plugins/config/ITMWebServer/plugin-cfg.xml Add or change the following properties as attributes on the Config XML tag:

    • FIPSEnable set to "true"

    • StrictSecurity set to "true"

  8. Restart the portal server to implement your changes.

Portal client configuration:

  1. For desktop clients, browser clients, and WebStart clients, configure the clients to communicate using HTTPS protocol. Follow the instructions in "Configuring HTTP communication between the portal client and server" in the IBM Tivoli Monitoring Installation and Setup Guide.

  2. For desktop clients, browser clients, and WebStart clients, edit the associated configuration file using the same method as described in "Configuring HTTP communication between the portal client and server" in the IBM Tivoli Monitoring Installation and Setup Guide.

    • For desktop clients, your edits modify the cnp.bat file.

    • For browser clients, your edits modify the applet.html file.

    • For WebStart clients, your edits modify the tep.jnlpt file.

    Add the following variables to each of the configuration files:

    com.ibm.TEPS.FIPSMODE set to true
    tep.sslcontext.protocol set to TLSv1.2
    https.protocols set to TLSv1.2
    com.ibm.ssl.protocol set to TLSv1.2

  3. For browser client users, you must enable TLSv1.2 in the Java Control Panel. Open the Java Control Panel for the Java that is being used in the browser client using Advanced → Advanced Security Settings and set Use TLS 1.2.

  4. For desktop client users, edit the install_dir/CNP/cnp.bat file directly or through Manage Tivoli Enterprise Monitoring Services > Desktop Client > Advanced > Edit ENV.

    Modify the _CMD line to include the following definition:

    https.protocols set to TLSv1.2
    com.ibm.ssl.protocol set to TLSv1.2

  5. Restart each portal client to implement your changes.

tacmd command-line interface configuration:

  1. Edit the <ITM_dir>\BIN\KUIENV file.

    Change or add the following environment variables:

    TEPS_FIPS_MODE=YES
    KDEBE_FIPS_MODE_ENABLED=SP800-131a

  1. Edit the <ITM_dir>/bin/ tacmd shell script.

    Change or add the following environment variables:

    export TEPS_FIPS_MODE=YES
    export KDEBE_FIPS_MODE_ENABLED=SP800-131a

tivcmd command-line interface:

  1. Edit the <tivcmd_install_dir>\BIN\KDQENV file.

    Change or add the following environment variables:

    KDEBE_FIPS_MODE_ENABLED=SP800-131a

  1. Edit the <tivcmd_install_dir>/bin/tivcmd shell script.

    Change or add the following environment variables:

    export KDEBE_FIPS_MODE_ENABLED=SP800-131a

Authorization Policy Server:

  1. Ensure that your Dashboard Application Services Hub WebSphere is at version 8.0.0.6 or 8.5.0.2 or higher to be SP800-131a compliant.

  2. Log in to the WebSphere Administrative Console of the Dashboard Application Services Hub where the Authorization Policy Server is installed.

  3. Configure WebSphere with SP800-131 Transitional mode by following the instructions in the topic "Transitioning WebSphere Application Server to the SP800-131 security standard" in the WebSphere Application Server V8.5 Information Center.


Results

You are now running an SP800-131a compliant configuration.


What to do next

Application agents might initiate their own communications for data collection. Those remote servers must be configured to be SP800-131a compliant to ensure the agent's communication is SP800-131a compliant.

When in SP800-131a mode, Tivoli Management Services components and Tivoli Enterprise Monitoring Agents use one or more of these SP800-131a approved cryptographic providers: IBMJCEFIPS (certificate 497), IBMJSSEFIPS (certificate 409), and IBM Crypto for C (ICC certificate 775) for cryptography. The certificates are listed on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.

All IP.SPIPE connections and TLS/SSL-enabled LDAP connections utilize TLSv1.2. TLS/SSL must be enabled between the Tivoli Enterprise Portal client and the Tivoli Enterprise Portal Server, as described in the "Using SSL between the portal server and the client" topic in the IBM Tivoli Monitoring Installation and Setup Guide. Failure to enable TLS/SSL might expose credentials.

Enable IP.SPIPE between all IBM Tivoli Monitoring components to preserve integrity and confidentiality of data using SP800-131a compliant cryptography. Certificates used in IP.SPIPE communication require NIST and FIPS prescribed cryptographic strength. For detailed information on how to replace cryptographic certificates, see the various topics in Securing communications. If your environment uses the provided GSKit utilities, the -fips flag must be included in all operations. Refer to your local security administrator or to the NIST website for more details on SP800-131a compliance. Information on how to generate certificates using GSKit is also provided on IBM Service Management Connect.


Parent topic:

Securing communications

+

Search Tips   |   Advanced Search