The National Institute of Standards and Technology (NIST)
Special Publications (SP) 800-131a standard strengthens algorithms
and increases the key lengths to improve security. To enable SP800-131a
you must configure IBM® Tivoli® Monitoring components
individually.
Before you begin
- Update your IBM Tivoli Monitoring infrastructure
components to Version 6.3 Fix Pack 2 or higher before you enable SP800-131a.
Your operating system agents and Tivoli Enterprise Management Agent
framework for other agents must be at Version 6.3 or higher. Infrastructure
components that are configured to use the SP800-131a mode can only
interact with the following components:
- IBM Tivoli Monitoring Version
6.3 Fix Pack 2 or higher monitoring agents or infrastructure components.
- IBM Tivoli Monitoring Version
6.3 or higher monitoring agents or infrastructure components that
are configured for FIPS 140-2 mode.
Tivoli Monitoring agents and infrastructure components prior
to Version 6.3 are not able to communicate with Tivoli Monitoring
infrastructure components configured in SP800-131a mode.
- Ensure that you have strong certificates for each of your computers.
Then distribute the certificates to each of the agent keyfile directories,
one per IBM Tivoli Monitoring installation.
Certificates used for TLS/SSL communication must have a minimum RSA
key length of 2048, or be Elliptical Curve (EC) certificates with
a minimum key length of 256 bits. For more information, see Securing communications.
- Perform this task during a maintenance period.
About this task
SP800-131a mode for
IBM Tivoli Monitoring has the
following properties:
Note: In IBM Tivoli Monitoring Version
6.3 Fix Pack 2, the generated self-signed certificates comply to the
standards mentioned in this section by default.
- All communication is over TLSv1.2 protocol.
- All certificates for communication are RSA with 2048 bit keys
signed, with at least SHA-256 bit digital signatures or Elliptic curve
cryptography certificates. Use all RSA certificates or all Elliptic
curve certificates.
- Any SNMP connections must conform to either SNMP V1, V2 or V3
using authentication with SHA-1 only.
Note: SNMP
V3 data privacy is not SP800-131 compliant.
- SSH connections must use certificates that are 2048-bit in size.
- Elliptic Curve Certificates can be used by any IBM Tivoli Monitoring component,
but using an Elliptic Curve Certificate implies the exclusive acceptance
of only TLSv1.2 for communication, because TLSv1.2 is the only protocol
that supports Elliptic Curve Certificates. Using Elliptic Curve Certificates
at the monitoring server allows only monitoring agents at IBM Tivoli Monitoring Version
6.3 Fix Pack 2 or higher to connect.
- All services and autonomous agents that interface using HTTPS
and IP.SPIPE communication ports, must use the TLSv1.2 protocol. The
Microsoft Internet Explorer 8.0 or higher browser supports TLSv1.2.
- Many application agents are 32-bit agents installed on a 64-bit
operating system. 32-bit application agents must be upgraded using
the tacmd updateFramework command to update their
framework to Version 6.3 or higher. Updating the framework allows
the agent to communicate with an SP800-131a compliant Tivoli Enterprise Monitoring Server.
For more information on the tacmd updateFramework command,
see the IBM Tivoli Monitoring Command Reference.
- You can optionally enable TLSv1.0 in the Tivoli Enterprise Portal Server to
access the online help. If TLSv1.0 is disabled in the IBM HTTP Server,
the Tivoli Enterprise Portal functions
as normal but will not provide online help. All data and management
is performed over TLSv1.2. Online help and other text content is transmitted
over TLSv1.0. You can disable TLSv1.0 if you do not need the online
help and dialog help. If TLSv1.0 is disabled, the error Secure
Connection Failed: ssl_error_no_cypher_overlap might appear
in certain workspaces that display help information. You can continue
to create objects and access workspaces over TLSv1.2.
- When the monitoring server is configured in SP800-131a mode, IBM Tivoli Monitoring Version
6.3 Fix Pack 2 monitoring agents, the portal server, and the tacmd
command line can still communicate with the monitoring server without
being explicitly reconfigured in SP800-131a mode.
- The tacmd tepslogin and other tacmd commands
directed at the portal server must communicate over TLSv1.0 on port
15001. Additionally, tacmd commands directed at the monitoring server
must communicate over TLSv1.2 with SP800 restrictions. Ensure that
you enable TLS/SSL communication for the portal client connections
at the portal server.
- Situations that use the Linux OS agent and UNIX OS agent File
Information attribute group must ensure they are using SHA-1, SHA-256,
SHA-384, or SHA-512 in SP800-131a mode.
Procedure
Complete configuration
on the following components in the order listed if applicable:
Note: Best Practice is to reconfigure any components after editing
environment variables to ensure any changes are implemented.
Monitoring server and monitoring agent configuration:Note: You
can use the following instructions to also configure the Warehouse
Proxy Agent and the Summarization and Pruning Agent.
- Edit the following environment files:
In
the Manage Tivoli Enterprise Monitoring Services window,
right-click the component and click Advanced → Edit
Variables. Alternatively, you can edit the KBBENV file
and the KXXENV file for each monitoring agent
(where XX is your 2 letter product code) directly.
Edit
the ms.ini on the monitoring server, and *.ini for
each monitoring agent.
Change or add the following environment
variable:
KDEBE_FIPS_MODE_ENABLED=SP800-131a
If
using autonomous agents, you must add the KDEBE_FIPS_MODE_ENABLED variable
to your custom environment file.
- Restart the monitoring server
and each monitoring agent you edited to implement your changes.
z/OS AT-TLS configuration:
In
z/OS environments, configuring SP800-131a for IP.SPIPE connections
requires configuring the Application Transparent Transport Layer Security
(AT-TLS) policy. TLSv1.2 protocol is available with z/OS 2.1. TLSv1.2
is also available with z/OS 1.13, but you must apply the following
APARs to your system:
If a secure protocol (SPIPE or HTTPS) is used between
monitoring agents and monitoring servers on z/OS, AT-TLS must be configured
and running. To configure AT-TLS, an authorized system programmer
must create a policy for AT-TLS. A security administrator (RACF or
ACF2) must grant permission to the policy that defines the authentication
certificate that is used in the TLS protocol.
If z/OS components
communicate with monitoring servers on a distributed operating system,
or a distributed component, such as the Tivoli Enterprise Portal Server,
communicates with a z/OS hub monitoring server, the AT-TLS policy
must match the policy that is created for the distributed component
by GSKIT.
To configure SP800-131a complete the following tasks:
- ICSF must be enabled and started on the monitoring server and
agent-only runtime environments (RTE). For more information, see Configuring the Tivoli Enterprise Monitoring Server
on z/OS.
- Configure your z/OS monitoring server and monitoring agents to
use IP.SPIPE communications. For more information, see Configuring the Tivoli Enterprise Monitoring Server
on z/OS.
- Configure an AT-TLS policy to restrict to TLSv1.2.
See the Communications
Server IP Configuration Guide in the Communication Server Information Center for
further reference.
The following is an example of an AT-TLS
policy for SP800-131a:
TTLSGroupAction group_action0
{
TTLSEnabled ON
}
TTLSEnvironmentAction environment_action0
{
TTLSKeyRingParms
{
Keyring /etc/itm/at-tls/keyring.db
keyringPw itm
keyringStashFile /etc/itm/at-tls/keyring.sth
}
HandshakeRole Client
TTLSEnvironmentAdvancedParms
{
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
FIPS140 On
CertificateLabel IBM_Tivoli_Monitoring_Encryption_Key
}
TTLSSignatureParmsRef
{
## TLS_SIGALG_SHA224_WITH_RSA
SignaturePair 0301
## TLS_SIGALG_SHA224_WITH_ECDSA
SignaturePair 0303
## TLS_SIGALG_SHA256_WITH_RSA
SignaturePair 0401
## TLS_SIGALG_SHA256_WITH_ECDSA
SignaturePair 0403
## TLS_SIGALG_SHA384_WITH_RSA
SignaturePair 0501
## TLS_SIGALG_SHA384_WITH_ECDSA
SignaturePair 0503
## TLS_SIGALG_SHA512_WITH_RSA
SignaturePair 0601
## TLS_SIGALG_SHA512_WITH_ECDSA
SignaturePair 0603
}
}
Portal server configuration:- Enable TLS/SSL for all Tivoli Enterprise Portal clients.
For detailed steps, see "Using SSL between the portal server and the client" in the IBM Tivoli Monitoring Installation
and Setup Guide.
- Edit the Tivoli Enterprise Portal Server environment
file on the computer where the portal server is installed.
In
the Manage Tivoli Enterprise Monitoring Services window,
right-click the component and click Advanced → Edit
Variables. Alternatively, you can edit the KFWENV file
directly.
Edit the cq.ini file.
Change
or add the following environment variables:
KDEBE_FIPS_MODE_ENABLED=SP800-131a
KFW_FIPS_ENFORCED=YES
- Restart the portal server to implement your changes.
- Enable SP800-131 Transistion mode in the TEPS/e administration
console.
- Follow the instructions in Starting the TEPS/e administration console.
- Click Security → SSL certificate and key management
→ Manage FIPS.
- If you have not imported compliant
certificates, select Convert Certificates.
When converting the certificates, select Algorithm Strict and
then select SHA256WithRSA or another algorithm.
If you select an ECDSA Certificate algorithm, then all browsers and
clients (including the Dashboard
Application Services Hub servers)
connecting to the WebSphere Server must support TLSv1.2 and Elliptic
Curve Certificates.
You must accept the new certificate using the
WebSphere command line utilities. Run one of the following commands,
and then when prompted, accept the certificate:
updateTEPSEPass.bat
wasadmin <password>
updateTEPSEPass.sh
wasadmin <password>
- Select Enable SP800-131 , Transistion,
and Update SSL configurations to require TLSv1.2.
Note: Once
you apply and then save your changes to the master file for WebSphere,
you might need to reconnect to the WebSphere console if you are logged
out, since the new certificate and algorithms take effect immediately.
- Update the ssl.client.props file to allow
administration of WebSphere.
install_dir\CNPSJ\profiles\ITMProfile\properties\ssl.client.props
install_dir/arch/iw/profiles/ITMProfile/properties/ssl.client.props
Once
the server is configured for SP800-131 transition mode, the
ssl.client.props file
must be modified so that the administrative client can communicate
with the WebSphere server running in SP800-131 mode. They are not
able to make a TLSv1.2 connection to the server without the change.
Edit the
ssl.client.props file by completing
the following steps:
- Modify com.ibm.security.useFIPS to be set to true.
- Add com.ibm.websphere.security.FIPSLevel=SP800-131 directly
beneath the useFips property.
- Change the com.ibm.ssl.protocol property to TLSv1.2. Note:
The com.ibm.ssl.protocol property is further down
in the file than the first two properties.
For further instruction, see "Transitioning WebSphere Application Server to
the SP800-131 security standard" in
the WebSphere Application Server V8.5 Information Center.
- Synchronize certificates between the IBM HTTP Server and the portal
server. Import the new WebSphere certificates into the IBM Tivoli Monitoring key repository.
For detailed steps, see Importing the TEPS/e certificates into the portal server keyfile database.
- Update the IBM HTTP Server acceptable protocols. On the computer
where the portal server is installed edit the httpd.conf file
to update the virtualhost for port 15201 to include:
Note: In the following
examples, the SSLAttributeSet information is entered
on one line.
install_dir\IHS\CONF
<VirtualHost *:15201>
DocumentRoot "<ITM_HOME>/CNB"
SSLEnable
SSLProtocolDisable SSLv2
SSLProtocolDisable SSLv3
SSLProtocolEnable TLSv10
SSLProtocolDisable TLSv11
SSLProtocolEnable TLSv12
SSLFIPSEnable
SSLAttributeSet 245 "GSK_TLS_SIGALG_RSA_WITH_SHA224,
GSK_TLS_SIGALG_RSA_WITH_SHA256,GSK_TLS_SIGALG_RSA_WITH_SHA384,
GSK_TLS_SIGALG_RSA_WITH_SHA512,GSK_TLS_SIGALG_ECDSA_WITH_SHA224,
GSK_TLS_SIGALG_ECDSA_WITH_SHA256,GSK_TLS_SIGALG_ECDSA_WITH_SHA384,
GSK_TLS_SIGALG_ECDSA_WITH_SHA512" BUFF
SSLServerCert IBM_Tivoli_Monitoring_Certificate
ErrorLog "<ITH_HOME>/IHS/logs/sslerror.log"
TransferLog "<ITM_HOME>/IHS/logs/sslaccess.log"
KeyFile "<ITM_HOME>/keyfiles/keyfile.kdb"
SSLStashfile "<ITM_HOME>/keyfiles/keyfile.sth"
</VirtualHost>
install_dir/arch/iu/ihs/HTTPServer/conf
<VirtualHost *:15201>
DocumentRoot "<ITM_HOME>/<arch>/cw/"
SSLEnable
SSLProtocolDisable SSLv2
SSLProtocolDisable SSLv3
SSLProtocolEnable TLSv10
SSLProtocolDisable TLSv11
SSLProtocolEnable TLSv12
SSLFIPSEnable
SSLAttributeSet 245 "GSK_TLS_SIGALG_RSA_WITH_SHA224,
GSK_TLS_SIGALG_RSA_WITH_SHA256,GSK_TLS_SIGALG_RSA_WITH_SHA384,
GSK_TLS_SIGALG_RSA_WITH_SHA512,GSK_TLS_SIGALG_ECDSA_WITH_SHA224,
GSK_TLS_SIGALG_ECDSA_WITH_SHA256,GSK_TLS_SIGALG_ECDSA_WITH_SHA384,
GSK_TLS_SIGALG_ECDSA_WITH_SHA512" BUFF
SSLServerCert IBM_Tivoli_Monitoring_Certificate
ErrorLog "<ITM_HOME>/<arch>/iu/ihs/HTTPServer/logs/sslerror.log"
TransferLog "<ITM_HOME>/<arch>/iu/ihs/HTTPServer/logs/sslaccess.log"
KeyFile "<ITM_HOME>/keyfiles/keyfile.kdb"
SSLStashfile "<ITM_HOME>/keyfiles/keyfile.sth"
</VirtualHost>
- Update the HTTP plugin.
install_dir\IHSPlugins\config\ITMWebServer\plugin-cfg.xml
install_dir/arch/iu/ihs/Plugins/config/ITMWebServer/plugin-cfg.xml
Add
or change the following properties as attributes on the Config
XML tag:- FIPSEnable set to "true"
- StrictSecurity set to "true"
- Restart the portal server to implement your changes.
Portal client configuration:- For desktop clients, browser clients, and WebStart
clients, configure the clients to communicate using HTTPS protocol.
Follow the instructions in "Configuring HTTP communication between the portal
client and server" in
the IBM Tivoli Monitoring Installation
and Setup Guide.
- For desktop clients, browser clients, and WebStart
clients, edit the associated configuration file using the same
method as described in "Configuring HTTP communication between the portal
client and server" in
the IBM Tivoli Monitoring Installation
and Setup Guide.
- For desktop clients, your edits modify the cnp.bat file.
- For browser clients, your edits modify the applet.html file.
- For WebStart clients, your edits modify the tep.jnlpt file.
Add the following variables to each of the configuration files:
com.ibm.TEPS.FIPSMODE set to true
tep.sslcontext.protocol set to TLSv1.2
https.protocols set to TLSv1.2
com.ibm.ssl.protocol set to TLSv1.2
- For browser client users, you must enable TLSv1.2 in the Java
Control Panel. Open the Java Control Panel for the Java that is being
used in the browser client using Advanced → Advanced
Security Settings and set Use TLS 1.2.
- For desktop client users, edit the install_dir/CNP/cnp.bat file
directly or through Manage Tivoli Enterprise
Monitoring Services >
Desktop Client > Advanced > Edit ENV.
Modify the
_CMD line
to include the following definition:
https.protocols set to TLSv1.2
com.ibm.ssl.protocol set to TLSv1.2
- Restart each portal client to implement your changes.
tacmd command-line interface
configuration:
- Edit the <ITM_dir>\BIN\KUIENV file.
Change
or add the following environment variables:
TEPS_FIPS_MODE=YES
KDEBE_FIPS_MODE_ENABLED=SP800-131a
- Edit the <ITM_dir>/bin/ tacmd
shell script.
Change or add the following environment variables:
export TEPS_FIPS_MODE=YES
export KDEBE_FIPS_MODE_ENABLED=SP800-131a
tivcmd command-line interface:
- Edit the <tivcmd_install_dir>\BIN\KDQENV file.
Change
or add the following environment variables:
KDEBE_FIPS_MODE_ENABLED=SP800-131a
- Edit the <tivcmd_install_dir>/bin/tivcmd shell
script.
Change or add the following environment variables:
export KDEBE_FIPS_MODE_ENABLED=SP800-131a
Results
You are now running
an SP800-131a compliant configuration.
What to do next
Application agents might
initiate their own communications for data collection. Those remote
servers must be configured to be SP800-131a compliant to ensure the
agent's communication is SP800-131a compliant.
When in SP800-131a
mode, Tivoli Management
Services components
and Tivoli Enterprise Monitoring Agents use one or more of these SP800-131a
approved cryptographic providers: IBMJCEFIPS (certificate 497), IBMJSSEFIPS
(certificate 409), and IBM Crypto
for C (ICC certificate 775) for cryptography. The certificates are
listed on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.
All IP.SPIPE connections and TLS/SSL-enabled
LDAP connections utilize TLSv1.2. TLS/SSL must be enabled between
the Tivoli Enterprise Portal client
and the Tivoli Enterprise Portal Server,
as described in the "Using SSL between the portal server and the client" topic in
the IBM Tivoli Monitoring Installation
and Setup Guide.
Failure to enable TLS/SSL might expose credentials.
Enable
IP.SPIPE between all IBM Tivoli Monitoring components
to preserve integrity and confidentiality of data using SP800-131a
compliant cryptography. Certificates used in IP.SPIPE communication
require NIST and FIPS prescribed cryptographic strength. For detailed
information on how to replace cryptographic certificates, see the
various topics in Securing communications. If your environment uses the
provided GSKit utilities, the -fips flag must be
included in all operations. Refer to your local security administrator
or to the NIST website for more details on SP800-131a compliance.
Information on how to generate certificates using GSKit is also provided
on IBM Service Management Connect.