This section contains the following topics:
FIPS 140-2 Compliance Overview
About Certificates and Key Files
Configure Microsoft Internet Explorer to Access CA User Activity Reporting Module in FIPS Mode
Configure Mozilla Firefox to Access CA User Activity Reporting Module in FIPS Mode
ISO Image for New Installations
The Federal Information Processing Standards (FIPS) 140-2 publication is a security standard for the cryptographic libraries and algorithms a product should use for encryption. FIPS 140-2 encryption affects the communication of all sensitive data between components of CA Technologies products and between CA Technologies products and third-party products. FIPS 140-2 specifies the requirements for using cryptographic algorithms within a security system protecting sensitive, unclassified data.
CA User Activity Reporting Module offers FIPS compatibility with event traffic secured using FIPS-compliant algorithms when operating in FIPS mode. CA User Activity Reporting Module also offers a default, non-FIPS mode in which event traffic is not secured with FIPS-compliant algorithms. CA User Activity Reporting Module servers in a federated network cannot mix the two operating modes. This means that a server running in non-FIPS mode cannot share query and report data with a server that is running in FIPS mode.
CA User Activity Reporting Module can operate in two modes, FIPS mode or non-FIPS mode. The cryptographic boundaries are the same in both modes, but the algorithms are different. By default, CA User Activity Reporting Module servers operate in non-FIPS mode. Users with the Administrator role can enable FIPS mode operation.
This mode uses a mix of encryption algorithms for event transport and other communications between the CA User Activity Reporting Module and CA EEM server that do not necessarily meet FIPS 140-2 standards.
This mode uses FIPS-certified encryption algorithms for event transport and other communications between the CA User Activity Reporting Module and CA EEM server.
Administrator-level users can review agent operating modes from the Agent Explorer node on the Administration tab, Log Collection subtab.
The Federal Information Processing Standards (FIPS) 140-2 publication specifies the requirements for using cryptographic algorithms within a security system protecting sensitive, unclassified data.
CA User Activity Reporting Module also embeds the Crypto-C Micro Edition (ME) v2.1.0.2 cryptographic library from RSA, which has been validated as meeting the FIPS 140-2 Security Requirements for Cryptographic Modules. The validation certificate number for this module is 865.
Computer products that use FIPS 140-2 certified cryptographic modules in FIPS mode can use only FIPS-approved security functions. These include AES (Advanced Encryption Algorithm), SHA-1 (Secure Hash Algorithm), and higher level protocols such as TLS v1.0 as explicitly allowed in the FIPS 140-2 standard and implementation guides.
In non-FIPS mode, CA User Activity Reporting Module uses the following algorithms:
In FIPS mode, CA User Activity Reporting Module uses the following algorithms:
CA User Activity Reporting Module uses SHA-1 as the default digest algorithm to encrypt passwords and sign server requests.
CA User Activity Reporting Module uses TLS v1.0 for communications with external LDAP directories if the LDAP connection uses TLS, communications between iTechnology components, the agent to iGateway service communication in FIPS mode, and the event channel between an agent and the logDepot service.
For FIPS 140-2 support, the upgrade to CA User Activity Reporting Module r12.1 SP1 converts existing P12 format certificates to PEM format certificates. This conversion results in the generation of the following files:
Key files are not encrypted, and it is up to the user to secure them from unauthorized access on both server and agent hosts. The CA User Activity Reporting Module soft-appliance uses various operating system hardening techniques to protect keys and certificates stored in the file system. CA User Activity Reporting Module does not support the use of external key storage devices.
CA User Activity Reporting Module uses the following certificates and key files:
|
Certificate/Key File Name |
Location |
Description |
|---|---|---|
|
CAELMCert |
/opt/CA/SharedComponents/iTechnology
(You can refer to this directory using the shorter variable name, $IGW_LOC.) |
All CA User Activity Reporting Module services use this certificate for communications between CA User Activity Reporting Module servers, and between CA User Activity Reporting Module servers and the CA EEM server. An entry for this certificate, and its corresponding key file, exists in the main configuration file, CALM.cnf. The tag pairs begin <Certificate> and <KeyFile> respectively. |
|
CAELM_AgentCert |
$IGW_LOC on the agent host server |
Agents use this certificate to communicate with any CA User Activity Reporting Module server. The CA User Activity Reporting Module Management server provides this certificate to the agent. The certificate is valid for any CA User Activity Reporting Module server within a given application instance. |
|
itpamcert |
IT PAM server |
This certificate is used for communications with IT PAM. See the CA IT PAM documentation for additional information. |
|
rootcert |
$IGW_LOC |
This certificate is a self-signed, root certificate signed by iGateway during installation. |
|
iPozDsa |
$IGW_LOC |
The CA EEM server, both local and remote, uses this certificate. See the CA EEM documentation for additional information. |
|
iPozRouterDsa |
$IGW_LOC |
The CA EEM server, both local and remote, uses this certificate. See the CA EEM documentation for additional information. |
|
iTechPoz-trusted |
/opt/CA/Directory/dxserver/ |
CA Directory uses this certificate. |
|
iTechPoz-<hostname>- |
/opt/CA/Directory/dxserver/ |
CA Directory uses this certificate. |
The following CA User Activity Reporting Module features and product interoperations do not support FIPS mode operations:
ODBC and JDBC in CA User Activity Reporting Module relies on an underlying SDK that does not support FIPS mode operations. Administrators of federated networks that require FIPS operations must manually disable the ODBC service on each CA User Activity Reporting Module server.
CA User Activity Reporting Module r12.1 SP1 uses CA EEM r8.4 SP3, which is FIPS compatible. Enabling FIPS mode on the CA User Activity Reporting Module server disables the communication between the shared CA EEM and any product that does not support CA EEM r8.4 SP3.
For example, CA IT PAM is not FIPS compatible. If you upgrade your CA User Activity Reporting Module server to FIPS mode, the intergration with CA IT PAM fails.
You can share a CA EEM server between CA User Activity Reporting Module r12.1 SP1 and CA IT PAM r2.1 SP2 and r2.1 SP3 in non-FIPS mode only.
If your CA IT PAM installation is not sharing the same CA EEM server, CA User Activity Reporting Module r12.1 SP1 can run in FIPS mode and it can communicate with CA IT PAM; howvever, those communication channels are not FIPS compatible.
Successful communication with an external user store depends on the following:
Note: FIPS-compatibility is not available when using unencrypted communications between the CA EEM server and the external user store, or when the CA EEM server and user store are in different FIPS modes.
You can send SNMP events using either SNMP V2 or SNMP V3. Both are supported in non-FIPS mode.
If the SNMP Trap Destination server is FIPS enabled you must choose V3 Security and then choose SHA as the authentication protocol and AES as the encryption protocol. You make these choices on the Destination page of the Schedule Action Alerts wizard.
Your browser may require some additional configuration before it can display the CA User Activity Reporting Module server user interface when running in FIPS mode. Use the following procedure to set the required options to access CA User Activity Reporting Module in Microsoft Internet Explorer 7 or 8.
To configure Microsoft Internet Explorer 7 or 8
Your browser may require some additional configuration before it can display the CA User Activity Reporting Module server user interface when running in FIPS mode. Use the following procedure to set the required options in Mozilla Firefox 3.5.8 or later browser to access a CA User Activity Reporting Module server running in FIPS mode.
Note: Access to CA User Activity Reporting Module requires installation of the Mozilla Firefox plug-in for Adobe Flash 9 or 10.
To configure Mozilla Firefox
The Device Manager window appears.
This action populates the right pane.
To help you quickly deploy CA User Activity Reporting Module or to add a new CA User Activity Reporting Module server to an existing deployment, we are providing an ISO image for the service pack. The ISO image is available from the Downloads area on Support Online.
We recommend that you use the most recent ISO image in the following cases:
Note: The installation procedure has changed. A new prompt asks whether you want to install with FIPS mode enabled. When adding a new CA User Activity Reporting Module server to an existing FIPS deployment (the CA User Activity Reporting Module management server or remote CA EEM server are in FIPS mode), enable FIPS mode during the installation. Otherwise the new server cannot register and you must reinstall.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|