IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Enabling SP800-131a for IBM Tivoli Monitoring

The National Institute of Standards and Technology (NIST) Special Publications (SP) 800-131a standard strengthens algorithms and increases the key lengths to improve security. To enable SP800-131a you must configure IBM® Tivoli® Monitoring components individually.

Before you begin

Update your IBM Tivoli Monitoring infrastructure components to Version 6.3 Fix Pack 2 or higher before you enable SP800-131a. Your operating system agents and Tivoli Enterprise Management Agent framework for other agents must be at Version 6.3 or higher. Infrastructure components that are configured to use the SP800-131a mode can only interact with the following components:
- IBM Tivoli Monitoring Version 6.3 Fix Pack 2 or higher monitoring agents or infrastructure components.
- IBM Tivoli Monitoring Version 6.3 or higher monitoring agents or infrastructure components that are configured for FIPS 140-2 mode.
Tivoli Monitoring agents and infrastructure components prior to Version 6.3 are not able to communicate with Tivoli Monitoring infrastructure components configured in SP800-131a mode.
Ensure that you have strong certificates for each of your computers. Then distribute the certificates to each of the agent keyfile directories, one per IBM Tivoli Monitoring installation. Certificates used for TLS/SSL communication must have a minimum RSA key length of 2048, or be Elliptical Curve (EC) certificates with a minimum key length of 256 bits. For more information, see Securing communications.
Perform this task during a maintenance period.

About this task

SP800-131a mode for IBM Tivoli Monitoring has the following properties:

Note: In IBM Tivoli Monitoring Version 6.3 Fix Pack 2, the generated self-signed certificates comply to the standards mentioned in this section by default.

All communication is over TLSv1.2 protocol.
All certificates for communication are RSA with 2048 bit keys signed, with at least SHA-256 bit digital signatures or Elliptic curve cryptography certificates. Use all RSA certificates or all Elliptic curve certificates.
Any SNMP connections must conform to either SNMP V1, V2 or V3 using authentication with SHA-1 only.
Note: SNMP V3 data privacy is not SP800-131 compliant.
SSH connections must use certificates that are 2048-bit in size.
Elliptic Curve Certificates can be used by any IBM Tivoli Monitoring component, but using an Elliptic Curve Certificate implies the exclusive acceptance of only TLSv1.2 for communication, because TLSv1.2 is the only protocol that supports Elliptic Curve Certificates. Using Elliptic Curve Certificates at the monitoring server allows only monitoring agents at IBM Tivoli Monitoring Version 6.3 Fix Pack 2 or higher to connect.
All services and autonomous agents that interface using HTTPS and IP.SPIPE communication ports, must use the TLSv1.2 protocol. The Microsoft Internet Explorer 8.0 or higher browser supports TLSv1.2.
Many application agents are 32-bit agents installed on a 64-bit operating system. 32-bit application agents must be upgraded using the tacmd updateFramework command to update their framework to Version 6.3 or higher. Updating the framework allows the agent to communicate with an SP800-131a compliant Tivoli Enterprise Monitoring Server. For more information on the tacmd updateFramework command, see the IBM Tivoli Monitoring Command Reference.
You can optionally enable TLSv1.0 in the Tivoli Enterprise Portal Server to access the online help. If TLSv1.0 is disabled in the IBM HTTP Server, the Tivoli Enterprise Portal functions as normal but will not provide online help. All data and management is performed over TLSv1.2. Online help and other text content is transmitted over TLSv1.0. You can disable TLSv1.0 if you do not need the online help and dialog help. If TLSv1.0 is disabled, the error Secure Connection Failed: ssl_error_no_cypher_overlap might appear in certain workspaces that display help information. You can continue to create objects and access workspaces over TLSv1.2.
When the monitoring server is configured in SP800-131a mode, IBM Tivoli Monitoring Version 6.3 Fix Pack 2 monitoring agents, the portal server, and the tacmd command line can still communicate with the monitoring server without being explicitly reconfigured in SP800-131a mode.
The tacmd tepslogin and other tacmd commands directed at the portal server must communicate over TLSv1.0 on port 15001. Additionally, tacmd commands directed at the monitoring server must communicate over TLSv1.2 with SP800 restrictions. Ensure that you enable TLS/SSL communication for the portal client connections at the portal server.
Situations that use the Linux OS agent and UNIX OS agent File Information attribute group must ensure they are using SHA-1, SHA-256, SHA-384, or SHA-512 in SP800-131a mode.

Procedure

Complete configuration on the following components in the order listed if applicable:

Monitoring server and monitoring agent
z/OS AT-TLS
Portal server
Portal client
tacmd command-line interface
tivcmd command-line interface
Authorization Policy Server

Note:

Best Practice is to reconfigure any components after editing environment variables to ensure any changes are implemented.

Monitoring server and monitoring agent configuration:

Note: You can use the following instructions to also configure the Warehouse Proxy Agent and the Summarization and Pruning Agent.

Edit the following environment files:
In the Manage Tivoli Enterprise Monitoring Services window, right-click the component and click Advanced → Edit Variables. Alternatively, you can edit the KBBENV file and the KXXENV file for each monitoring agent (where XX is your 2 letter product code) directly.

Edit the ms.ini on the monitoring server, and *.ini for each monitoring agent.

Change or add the following environment variable:
KDEBE_FIPS_MODE_ENABLED=SP800-131a

If using autonomous agents, you must add the KDEBE_FIPS_MODE_ENABLED variable to your custom environment file.
Restart the monitoring server and each monitoring agent you edited to implement your changes.

z/OS AT-TLS configuration:

In z/OS environments, configuring SP800-131a for IP.SPIPE connections requires configuring the Application Transparent Transport Layer Security (AT-TLS) policy. TLSv1.2 protocol is available with z/OS 2.1. TLSv1.2 is also available with z/OS 1.13, but you must apply the following APARs to your system:

If a secure protocol (SPIPE or HTTPS) is used between monitoring agents and monitoring servers on z/OS, AT-TLS must be configured and running. To configure AT-TLS, an authorized system programmer must create a policy for AT-TLS. A security administrator (RACF or ACF2) must grant permission to the policy that defines the authentication certificate that is used in the TLS protocol.

If z/OS components communicate with monitoring servers on a distributed operating system, or a distributed component, such as the Tivoli Enterprise Portal Server, communicates with a z/OS hub monitoring server, the AT-TLS policy must match the policy that is created for the distributed component by GSKIT.

To configure SP800-131a complete the following tasks:

ICSF must be enabled and started on the monitoring server and agent-only runtime environments (RTE). For more information, see Configuring the Tivoli Enterprise Monitoring Server on z/OS.
Configure your z/OS monitoring server and monitoring agents to use IP.SPIPE communications. For more information, see Configuring the Tivoli Enterprise Monitoring Server on z/OS.

Configure an AT-TLS policy to restrict to TLSv1.2.

See the Communications Server IP Configuration Guide in the Communication Server Information Center for further reference.

The following is an example of an AT-TLS policy for SP800-131a:

TTLSGroupAction             group_action0
{
  TTLSEnabled               ON  
}
TTLSEnvironmentAction       environment_action0
{
  TTLSKeyRingParms
	{
    Keyring                 /etc/itm/at-tls/keyring.db
    keyringPw               itm
    keyringStashFile        /etc/itm/at-tls/keyring.sth
	}
  HandshakeRole             Client 
  TTLSEnvironmentAdvancedParms
  {
   SSLv2 Off
   SSLv3 Off
   TLSv1 Off
   TLSv1.1 Off
   TLSv1.2 On  
   FIPS140 On
   CertificateLabel IBM_Tivoli_Monitoring_Encryption_Key
  }
		TTLSSignatureParmsRef
  {
			## TLS_SIGALG_SHA224_WITH_RSA	
    SignaturePair 0301
			## TLS_SIGALG_SHA224_WITH_ECDSA
    SignaturePair 0303
			## TLS_SIGALG_SHA256_WITH_RSA
    SignaturePair 0401
			## TLS_SIGALG_SHA256_WITH_ECDSA	
    SignaturePair 0403
			## TLS_SIGALG_SHA384_WITH_RSA
    SignaturePair 0501
			## TLS_SIGALG_SHA384_WITH_ECDSA
    SignaturePair 0503
			## TLS_SIGALG_SHA512_WITH_RSA
    SignaturePair 0601
			## TLS_SIGALG_SHA512_WITH_ECDSA
    SignaturePair 0603
 	}
}

Portal server configuration:

Enable TLS/SSL for all Tivoli Enterprise Portal clients. For detailed steps, see "Using SSL between the portal server and the client" in the IBM Tivoli Monitoring Installation and Setup Guide.
Edit the Tivoli Enterprise Portal Server environment file on the computer where the portal server is installed.
In the Manage Tivoli Enterprise Monitoring Services window, right-click the component and click Advanced → Edit Variables. Alternatively, you can edit the KFWENV file directly.

Edit the cq.ini file.

Change or add the following environment variables:
KDEBE_FIPS_MODE_ENABLED=SP800-131a
KFW_FIPS_ENFORCED=YES
Restart the portal server to implement your changes.
Enable SP800-131 Transistion mode in the TEPS/e administration console.
1. Follow the instructions in Starting the TEPS/e administration console.
2. Click Security → SSL certificate and key management → Manage FIPS.
3. If you have not imported compliant certificates, select Convert Certificates. When converting the certificates, select Algorithm Strict and then select SHA256WithRSA or another algorithm. If you select an ECDSA Certificate algorithm, then all browsers and clients (including the Dashboard Application Services Hub servers) connecting to the WebSphere Server must support TLSv1.2 and Elliptic Curve Certificates.
  You must accept the new certificate using the WebSphere command line utilities. Run one of the following commands, and then when prompted, accept the certificate:
  
  updateTEPSEPass.bat wasadmin <password>
  
  updateTEPSEPass.sh wasadmin <password>
4. Select Enable SP800-131 , Transistion, and Update SSL configurations to require TLSv1.2.
  Note: Once you apply and then save your changes to the master file for WebSphere, you might need to reconnect to the WebSphere console if you are logged out, since the new certificate and algorithms take effect immediately.
5. Update the ssl.client.props file to allow administration of WebSphere.
  install_dir\CNPSJ\profiles\ITMProfile\properties\ssl.client.props
  
  install_dir/arch/iw/profiles/ITMProfile/properties/ssl.client.props
  Once the server is configured for SP800-131 transition mode, the ssl.client.props file must be modified so that the administrative client can communicate with the WebSphere server running in SP800-131 mode. They are not able to make a TLSv1.2 connection to the server without the change. Edit the ssl.client.props file by completing the following steps:
  1. Modify com.ibm.security.useFIPS to be set to true.
  2. Add com.ibm.websphere.security.FIPSLevel=SP800-131 directly beneath the useFips property.
  3. Change the com.ibm.ssl.protocol property to TLSv1.2. Note: The com.ibm.ssl.protocol property is further down in the file than the first two properties.
For further instruction, see "Transitioning WebSphere Application Server to the SP800-131 security standard" in the WebSphere Application Server V8.5 Information Center.
Synchronize certificates between the IBM HTTP Server and the portal server. Import the new WebSphere certificates into the IBM Tivoli Monitoring key repository. For detailed steps, see Importing the TEPS/e certificates into the portal server keyfile database.

Update the IBM HTTP Server acceptable protocols. On the computer where the portal server is installed edit the httpd.conf file to update the virtualhost for port 15201 to include:

Note: In the following examples, the SSLAttributeSet information is entered on one line.

Windows install_dir\IHS\CONF

<VirtualHost *:15201>
   DocumentRoot "<ITM_HOME>/CNB"
   SSLEnable
   SSLProtocolDisable SSLv2
   SSLProtocolDisable SSLv3
   SSLProtocolEnable TLSv10
   SSLProtocolDisable TLSv11
   SSLProtocolEnable TLSv12
   SSLFIPSEnable
   SSLAttributeSet 245 "GSK_TLS_SIGALG_RSA_WITH_SHA224,
GSK_TLS_SIGALG_RSA_WITH_SHA256,GSK_TLS_SIGALG_RSA_WITH_SHA384,
GSK_TLS_SIGALG_RSA_WITH_SHA512,GSK_TLS_SIGALG_ECDSA_WITH_SHA224,
GSK_TLS_SIGALG_ECDSA_WITH_SHA256,GSK_TLS_SIGALG_ECDSA_WITH_SHA384,
GSK_TLS_SIGALG_ECDSA_WITH_SHA512" BUFF
  
  SSLServerCert IBM_Tivoli_Monitoring_Certificate
   ErrorLog "<ITH_HOME>/IHS/logs/sslerror.log"
   TransferLog "<ITM_HOME>/IHS/logs/sslaccess.log"
   KeyFile "<ITM_HOME>/keyfiles/keyfile.kdb"
   SSLStashfile "<ITM_HOME>/keyfiles/keyfile.sth"
</VirtualHost>

Linux UNIX install_dir/arch/iu/ihs/HTTPServer/conf

<VirtualHost *:15201>
   DocumentRoot "<ITM_HOME>/<arch>/cw/"
   SSLEnable
   SSLProtocolDisable SSLv2
   SSLProtocolDisable SSLv3
   SSLProtocolEnable TLSv10
   SSLProtocolDisable TLSv11
   SSLProtocolEnable TLSv12
   SSLFIPSEnable
   SSLAttributeSet 245 "GSK_TLS_SIGALG_RSA_WITH_SHA224,
GSK_TLS_SIGALG_RSA_WITH_SHA256,GSK_TLS_SIGALG_RSA_WITH_SHA384,
GSK_TLS_SIGALG_RSA_WITH_SHA512,GSK_TLS_SIGALG_ECDSA_WITH_SHA224,
GSK_TLS_SIGALG_ECDSA_WITH_SHA256,GSK_TLS_SIGALG_ECDSA_WITH_SHA384,
GSK_TLS_SIGALG_ECDSA_WITH_SHA512" BUFF
  
  SSLServerCert IBM_Tivoli_Monitoring_Certificate
   ErrorLog "<ITM_HOME>/<arch>/iu/ihs/HTTPServer/logs/sslerror.log"
   TransferLog "<ITM_HOME>/<arch>/iu/ihs/HTTPServer/logs/sslaccess.log"
   KeyFile "<ITM_HOME>/keyfiles/keyfile.kdb"
   SSLStashfile "<ITM_HOME>/keyfiles/keyfile.sth"
</VirtualHost>

Update the HTTP plugin.
install_dir\IHSPlugins\config\ITMWebServer\plugin-cfg.xml

install_dir/arch/iu/ihs/Plugins/config/ITMWebServer/plugin-cfg.xml
Add or change the following properties as attributes on the Config XML tag:
- FIPSEnable set to "true"
- StrictSecurity set to "true"
Restart the portal server to implement your changes.

Portal client configuration:

For desktop clients, browser clients, and WebStart clients, configure the clients to communicate using HTTPS protocol. Follow the instructions in "Configuring HTTP communication between the portal client and server" in the IBM Tivoli Monitoring Installation and Setup Guide.
For desktop clients, browser clients, and WebStart clients, edit the associated configuration file using the same method as described in "Configuring HTTP communication between the portal client and server" in the IBM Tivoli Monitoring Installation and Setup Guide.
- For desktop clients, your edits modify the cnp.bat file.
- For browser clients, your edits modify the applet.html file.
- For WebStart clients, your edits modify the tep.jnlpt file.
Add the following variables to each of the configuration files:
com.ibm.TEPS.FIPSMODE set to true
tep.sslcontext.protocol set to TLSv1.2
https.protocols set to TLSv1.2
com.ibm.ssl.protocol set to TLSv1.2
For browser client users, you must enable TLSv1.2 in the Java Control Panel. Open the Java Control Panel for the Java that is being used in the browser client using Advanced → Advanced Security Settings and set Use TLS 1.2.
For desktop client users, edit the install_dir/CNP/cnp.bat file directly or through Manage Tivoli Enterprise Monitoring Services > Desktop Client > Advanced > Edit ENV.
Modify the _CMD line to include the following definition:
https.protocols set to TLSv1.2
com.ibm.ssl.protocol set to TLSv1.2
Restart each portal client to implement your changes.

tacmd command-line interface configuration:

Edit the <ITM_dir>\BIN\KUIENV file.
Change or add the following environment variables:
TEPS_FIPS_MODE=YES
KDEBE_FIPS_MODE_ENABLED=SP800-131a

Edit the <ITM_dir>/bin/ tacmd shell script.
Change or add the following environment variables:
export TEPS_FIPS_MODE=YES
export KDEBE_FIPS_MODE_ENABLED=SP800-131a

tivcmd command-line interface:

Edit the <tivcmd_install_dir>\BIN\KDQENV file.
Change or add the following environment variables:
KDEBE_FIPS_MODE_ENABLED=SP800-131a

Edit the <tivcmd_install_dir>/bin/tivcmd shell script.
Change or add the following environment variables:
export KDEBE_FIPS_MODE_ENABLED=SP800-131a

Authorization Policy Server:

Ensure that your Dashboard Application Services Hub WebSphere is at version 8.0.0.6 or 8.5.0.2 or higher to be SP800-131a compliant.
Log in to the WebSphere Administrative Console of the Dashboard Application Services Hub where the Authorization Policy Server is installed.
Configure WebSphere with SP800-131 Transitional mode by following the instructions in the topic "Transitioning WebSphere Application Server to the SP800-131 security standard" in the WebSphere Application Server V8.5 Information Center.

Results

You are now running an SP800-131a compliant configuration.

What to do next

Application agents might initiate their own communications for data collection. Those remote servers must be configured to be SP800-131a compliant to ensure the agent's communication is SP800-131a compliant.

When in SP800-131a mode, Tivoli Management Services components and Tivoli Enterprise Monitoring Agents use one or more of these SP800-131a approved cryptographic providers: IBMJCEFIPS (certificate 497), IBMJSSEFIPS (certificate 409), and IBM Crypto for C (ICC certificate 775) for cryptography. The certificates are listed on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.

All IP.SPIPE connections and TLS/SSL-enabled LDAP connections utilize TLSv1.2. TLS/SSL must be enabled between the Tivoli Enterprise Portal client and the Tivoli Enterprise Portal Server, as described in the "Using SSL between the portal server and the client" topic in the IBM Tivoli Monitoring Installation and Setup Guide. Failure to enable TLS/SSL might expose credentials.

Enable IP.SPIPE between all IBM Tivoli Monitoring components to preserve integrity and confidentiality of data using SP800-131a compliant cryptography. Certificates used in IP.SPIPE communication require NIST and FIPS prescribed cryptographic strength. For detailed information on how to replace cryptographic certificates, see the various topics in Securing communications. If your environment uses the provided GSKit utilities, the -fips flag must be included in all operations. Refer to your local security administrator or to the NIST website for more details on SP800-131a compliance. Information on how to generate certificates using GSKit is also provided on IBM Service Management Connect.

Feedback