FIPS 140-2 installations

Federal Information Processing Standard (FIPS) 140–2 is a US Federal cryptographic standard. You can install Network Manager with a restricted set of cryptographic algorithms.

Network Manager cannot be said to be compliant with the FIPS 140–2 standard, and nothing in this information or in the product should be understood as making this claim. However, Network Manager can be installed in a way that has been designed with FIPS 140–2 specifications taken into consideration.

Restriction: If FIPS 140–2 compliance is important to you, you must install Network Manager with a restricted set of cryptographic algorithms by clearing the Additional cryptographic routines feature in the installer. If you install these additional routines, then your installation uses non-FIPS 140-2 compliant cryptographic routines.

If your requirements change, or you make an error during installation, you can install or uninstall the Additional cryptographic routines feature after installation by running the installer again and selecting Modify.

Integrating with other products

If FIPS 140–2 compliance is important to you, you must also ensure that all products that integrate with Network Manager, such as IBM Tivoli Netcool/OMNIbus, have a FIPS mode. You must also configure the products if necessary. You must also check that your operating system uses only FIPS 140–2 compliant modules.

Differences in a FIPS 140–2 installation of Network Manager

An installation with restricted cryptographic routines that is intended for use in a FIPS 140-2 compliant environment differs from a normal installation in the following ways:

  • The Telnet discovery agents do not use SSHv1 to interrogate devices, because SSHv1 is not FIPS 140-2 compliant. The algorithms used are negotiated during the connection to the network device. Unless all the network devices in the customer network are using FIPS 140-2 compliant algorithms then the discovered topology may be impacted.
  • The Telnet discovery agents do not use SSHv1 to interrogate devices. This usage might result in a failure to connect securely to a device if the device supports only SSHv1, or if the device supports only non-FIPS 140-2 compliant SSHv2 algorithms.
  • The SNMP Helper and the MIB browser cannot be configured to use MD5 or DES encryption. The SNMP Helper and the MIB browser support SHA and SHA1 algorithms for message digest, and 3-DES and AES 128 for encryption.