Configuring IBM Tivoli Monitoring version 6.2.3 Infrastructure and Agents for FIPS 140-2 Level 1 Conformance

This page has not been liked. Updated 4/12/13, 2:51 AM by NikolaVoukTags:

Download the PDF for examples and pictures.

  1. Introduction
The instructions in this paper help you to configure your installation of IBM® Tivoli® Monitoring version 6.2.3 and later to be FIPS 140-2 conformant, as required for U.S. Federal systems.
  1. Background
The United States National Institute of Standards and Technology (NIST: ) defines many, if not all, federal standards for common operation among the agencies of the federal government, ranging from simple weights, measures, and official time keeping to complicated public safety, research, and manufacturing protocols. Although these standards are targeted at Federal systems, many private sectors have adopted these policies as good practice to comply with federal standards when working with federal agencies.
The NIST Computer Security Division ( ) mission is as follows:
The CSD mission is to provide standards and technology to protect information systems against threats to the confidentiality of information, integrity of information and processes, and availability of information and services in order to build trust and confidence in Information Technology (IT) systems.
NIST CSRC has defined the Federal Information Processing Standard (FIPS) 140-2 to articulate the specific requirements for the handling, execution, and derivation of cryptographic data (for example, encrypted user names, passwords, encryption keys, and other user-specified sensitive data).
IBM Tivoli Monitoring versions 6.2.3 (released May 2009) and later can be configured to be conformant with FIPS 140-2 Level 1 standards as defined on the NIST website: (
Conformance means that although no IBM Tivoli Monitoring version is specifically certified as a FIPS 140-2 cryptographic module, Tivoli Monitoring relies on an external dynamically loaded certified cryptographic module to perform all cryptographic functions on its behalf. The module conforms with the recommendations for handling cryptographic data per FIPS 140-2 and related document recommendations (for example, requiring TLS 1.0 instead of SSL 3.0 or earlier versions).
For Tivoli Monitoring to claim conformance that all cryptographic operations are performed by the certified cryptographic module, Tivoli Monitoring itself must strictly conform to the operational specifications that are indicated in FIPS 140-2 and referenced documents for handling any cryptographic data. See the definition for “Approved Security Function” in the FIPS 140-2 publication.
The following list includes referenced documents in the standard:
  • FIPS PUB 46-3, Data Encryption Standard.
  • FIPS PUB 74, Guidelines for Implementing and Using the NBS Data Encryption Standard.
  • FIPS PUB 81, DES Modes of Operation.
  • FIPS PUB 113, Computer Data Authentication.
  • FIPS PUB 171, Key Management Using ANSI X9.17.
  • FIPS PUB 180-1, Secure Hash Standard.
  • FIPS PUB 186-2, Digital Signature Standard.
  • Special Publication 800-2, Public Key Cryptography.
  • Special Publication 800-20, Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures.
The NIST guidelines for specific protocols that use the cryptographic modules are called “Special Publications.”Tivoli Monitoring FIPS 140-2 Operating mode
This paper addresses the initialization and configuration of the base Tivoli Monitoring installation at all levels, including database connections and some usage restrictions for known agents. Tivoli Monitoring application agents use the same instructions to enable FIPS 140-2 mode but might also require additional configuration. Refer to the specific installation and user’s guide for the application agent, if additional configuration is required.
When in FIPS 140-2 mode, IBM Tivoli Monitoring Components use the FIPS 140-2 approved cryptographic provider(s); IBMJCEFIPS (certificate 497) and/or IBMJSSEFIPS (certificate 409) and/or IBM Crypto for C (ICC (certificate 775) for cryptography. The certificates are listed on the NIST website at
The Tivoli Monitoring GSKit requires special initialization and the IBM Runtime Environment for Java must use special security modules to enable a FIPS-compliant runtime mode. Also, special care must be taken to address secondary connections such as database ODBC/JDBC connections and any embedded cryptographic operations.
You must first preconfigure your environment before enabling FIPS 140-2 mode in Tivoli Monitoring.
When running in FIPS 140-2 mode, SSL and Encryption algorithms are compliant with FIPS 140-2 as defined in September 2009 (
Currently, this implies the following items:
  • TLS 1.0 is used for any SSL (IP.SPIPE) communication.AES Encryption with 128 or 256 bit key size is used.
  • SHA-1 Message Digest Algorithm is used for any hashing.
  • All encryption is performed through a certified cryptographic provider.
  • Algorithms that handle cryptographic data use approved security functions that are compliant with applicable NIST published publications.

    [] and special publications [] (for example, SP 800-57 Recommendation for Key Management). See the FIPS 140-2 standard
  1. Prerequisite Runtime Guidelines
The following settings are required to enable any Tivoli Monitoring installation for FIPS 140-2 mode. The majority of configuration settings require enabling the exclusive use of “IP.SPIPE” or “SSL” for the connections between the components. Subsequently, configuring Tivoli Monitoring for FIPS 140-2 mode ensures that Tivoli Monitoring internal encryption operations are FIPS 140-2 compliant and use exclusively FIPS 140-2 certified cryptographic providers.
  • Tivoli Enterprise Portal Client to Tivoli Enterprise Portal Server must use SSL exclusively. (Configure the portal server interfaces to allow SSL Client connections.)
  • Tivoli Enterprise Portal Server to Tivoli Enterprise Monitoring Server connections must use IP.SPIPE exclusively.Tivoli Enterprise Monitoring Agent to Tivoli Enterprise Monitoring Server connections must use IP.SPIPE exclusively.
  • Remote monitoring server to HUB monitoring server connections must use IP.SPIPE exclusively.
  • HUB monitoring server or monitoring agent connections to Warehouse Proxy Agent must use IP.SPIPE exclusively.
  • Connections to the service consoles of agents must use the HTTPS ports (3661+4096*x [0<=x<=15]) exclusively.
  • Connections to the SOAP Server must use the HTTPS port (3661+4096*x [0<=x<=15]) exclusively.
  • Firewall Gateway Connections must be configured for IP.SPIPE exclusively.
  • Hot Standby monitoring server connections must be configured using IP.SPIPE exclusively.
  • Tivoli Enterprise Portal Server LDAP connections must be configured to use SSL exclusively.Monitoring server LDAP connections must be configured to use SSL exclusively.

  • Tivoli Monitoring SNMP v3 with encryption is not Tivoli Monitoring FIPS 140-2 compliant. Tivoli Enterprise Monitoring Server, Agent Builder agents and Universal agents may not invoke SNMP for eventing or data collection.

  • In the Linux OS and UNIX OS agent for the File Change attribute, situations and queries may only use the SHA-1 algorithm. Any existing situations or queries using CRC-32 or MD-5 will fail with a Not Available (-1) code.

  • MS SQL, Oracle, and Sybase agents must use remote configurations of the database user name and password to properly encrypt the credentials.

  • Certificates that conform to relevant NIST FIPS documentation and implementation guidelines ( New certificates must be placed in the keyfile databases per Chapter 4 of the Administrator’s guide.

  • Enable Certificate Authentication at all components. Refer to the “ITM Certificate Authentication Configuration Guide” technote.

    Follow any applicable NIST FIPS 140-2 implementation guidelines for your other products and environment. (
  1. FIPS Deployment Configurations
Enabling FIPS 140-2 mode requires six different types of configuration for the different connection components in the distributed Tivoli Monitoring environment. Figure 1 illustrates each configuration point and each step that is detailed below.
Figure 1 Base Tivoli Monitoring Installation
  1. Tivoli Enterprise Portal Server Configuration

To configure the portal server, complete the following steps:
  1. Edit one of the following configuration files:

  • For Windows systems: The KFWENV file
  • For UNIX and Linux systems: The cq.inifile:

  1. Modify the KFW_JAVA_PARMS variable to add the following statement:
KFW_JAVA_PARMS=-Xrs:all -Xmx256m -Xcompactexplicitgc -Xalwaysc
lassgc -Dderby.system.home=$KFW_EWAS_HOME$/derby -Dkjr.trace
.params=ERROR -Dkjr.trace.mode=LOCAL -Dkjr.trace.file=$CANDLEHOME$/logs/kfwjras1.log -DKFW_DATA=$CANDL
ANDLEHOME$/$BINARCH$/cw/classes/kjrall.jar:$CANDLEHOME$/$BINARCH$/cw/classes/util.jar com/ibm/TEPS/CTJ


  1. For the $CANDLEHOME\java\java50\jre\lib\security file, make the following changes:
  • Modify the file with FIPS providers:

cd %ITMHOME%\installITM\CandleGetJavaHome.bat

edit lib\security\
  • C


    hange the provider list to the one as shown below:
  1. Edit one of the following files:$CANDLEHOME/<platform>/iw/java/jre/lib/security/ file$CANDLEHOME\CNPSJ\java\jre\lib\security file
Change the provider list to the one shown below:


Make sure to comment out the WebSphere® Socket Factories.
  1. Tivoli Enterprise Monitoring Server/Tivoli Enterprise Monitoring Agent Configuration

  1. For Unix, Linux, and Z/OS systems, edit the ms.ini file and all the .ini files for the agents:

Note that for Windows systems, you must edit the corresponding KBBENV file for the Tivoli Enterprise Monitoring Server and the KXXENV file for each agent.
Add the following entry:
  1. For autonomous agents, create or modify your custom .environment file by including the following entry:
  1. Warehouse Proxy Configuration
To configure the Warehouse proxy configuration edit one of the following files:
  • For UNIX and Linux systems: The hd.ini file
  • For Windows systems: KHDENV file
Add the following entry:
  1. Summarization and Pruning Agent

Modify the file with FIPS providers:

For UNIX and Linux systems:

cd %ITMHOME%\installITM\CandleGetJavaHome.bat

edit lib\security\

For Windows systems:
C:\Program Files\IBM\Java50\jre\lib\security

Change the provider list to the one shown below:


Modify the sy.ini or KSYENV file to add or amend the KSZ_JAVA_ARGS variable:
  1. Warehouse/Tivoli Enterprise Portal Server ODBC/JDBC Database Configuration

These actions are specific to your installation and outside the scope of the configuration in this paper. You must configure your ODBC client to access the database server using SSL. Configuration links for running the database in FIPS 140-2 mode are in the following list.
Configuring MSSQL 2005
Refer to the following Microsoft knowledge base article for details on configuring Microsoft SQL Server to run in FIPS 140-2 mode.
  • Configuring DB2 v9.1 Fixpack 2+
DB2 version 9.1 Fix pack 2 and later SSL connections are always in FIPS 140-2 mode. Refer to the following IBM support document for further details on configuring the SSL ODBC connection.
  • Configuring Oracle Database Server
Refer to the following support document for configuring Oracle 10g (9.0.4) or later in FIPS 140-2 mode.
  1. Tivoli Enterprise Portal Browser/Desktop Client Modifications Configuration
  1. Modify the CNP.BAT file

Modify the _CMD line to include the following definition:
This flag limits the capabilities of the non-FIPS JCE provider to only X509CertificateFactory and keystore JKS/JCEKS functionality.
For Windows systems: %ITMHOME%\cnp\cnp.bat
For UNIX and Linux systems:

set _CMD= %_JAVA_CMD% -Xms64m -Xmx256m -showversion -noverify -classpath %CPATH% -Dkjr.trace.mode=LOCAL -Dkjr.trace.file=C:\IBM\ITM\CNP\LOGS\kcjras1.log -Dkjr.trace.params=ERROR -DORBtcpNoDelay=true -Dvbroker.agent.enableLocator=false -Dnv_inst_flag=%NV_INST_FLAG% -Dnvwc.cwd=%NVWC_WORKING_DIR% candle.fw.pres.CMWApplet %1 %2 %3 %4 %5 %6 %7 %8 %9 %10

  1. Modify the file with FIPS providers:

For UNIX and Linux systems:
cd %ITMHOME%\installITM\CandleGetJavaHome.bat

edit lib\security\
The file on Windows systems:
C:\Program Files\IBM\Java50\jre\lib\security
Change the provider list to the one shown below:


3. Reconfigure the Tivoli Enterprise Portal Client to run in FIPS 140-2 mode.
On Windows, the Tivoli Enterprise Portal Client can be partially configured by setting the property to true. You will have to edit the CNP.bat file to add
  1. Conclusion
The Tivoli Monitoring configuration is now running a FIPS 140-2 Level 1 compliant configuration.
  1. References
[1] Federal Information Processing Standards Publication 140-2, May 25, 2001
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:
IBM Corporation
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information is for planning purposes only. The information herein is subject to change before the products described become available.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM‘s application programming interfaces.
Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows:
© (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rights reserved.
If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed.
IBM, the IBM logo, and are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at
Other company, product, or service names may be trademarks or service marks of others.