Enabling Federal Information Processing Standards (FIPS) support for an IBM Tivoli Netcool/OMNIbus integration

If you plan to integrate IBM Cloud Pak for AIOps with IBM Tivoli Netcool/OMNIbus, you can configure your integration to enable support for Federal Information Processing Standards (FIPS).

Prerequisites

  • You must have an existing FIPS-compliant installation of IBM Cloud Pak for AIOps. You cannot enable FIPS support for the integration on a noncompliant system.

    For more information about installing IBM Cloud Pak for AIOps to be FIPS-compliant, see Enabling support for Federal Information Processing Standards (FIPS).

  • You must have an existing FIPS-compliant installation of IBM Tivoli Netcool/OMNIbus.

Procedure

To enable FIPS mode in IBM Tivoli Netcool/OMNIbus, complete the following steps on the host where IBM Tivoli Netcool/OMNIbus (on premises ObjectServer) is running:

  1. Stop the ObjectServer pair and the IBM Tivoli Netcool/OMNIbus bidirectional gateway.

    • To stop the ObjectServer, complete the following steps:

      1. Open the ObjectServer SQL prompt:

        $OMNIHOME/bin/nco_sql -server <OS_NAME> -user root -password <plain-text-pwd>
        
      2. On the SQL prompt, run the following command:

        > alter system shutdown;
        > go
        

      Note: After you enter go, the SQL prompt disconnects as the ObjectServer is exiting.

    • To stop the bidirectional gateway, run the following command:

      kill -15 <pid>
      

      where pid is Process ID.

      Note: Use the ps -ef | grep nco_g_objserv_bi command to get the gateway's pid.

  2. Enter the following information in the properties file of both the ObjectServers:

    PasswordEncryption   : 'AES'
    ConfigKeyFile        : '<key_file>'
    

    Note: To generate the key file, run the following command on the host:

    $OMNIHOME/bin/nco_keygen -o <key_file> -l 256
    
  3. Start the ObjectServer pair and update the same FIPS-compliant password for the root user in each ObjectServer.

    1. To start the ObjectServer, run the following command:

      $OMNIHOME/bin/nco_objserv -name <OS_NAME> -propsfile <objectserver-properties-file> &
      
    2. To open the ObjectServer SQL prompt, run the following command:

      $OMNIHOME/bin/nco_sql -server <OS_NAME> -user root -password <plain-text-pwd>
      
    3. To alter root password, run the following SQL command:

      > alter user 'root' set password '<plain_text_pwd>';
      > go
      
    4. To verify that the Passwd column contains AES-encrypted passwords with 24 characters, run the following SQL command:

      > select UserName,Passwd from security.users;
      > go
      
  4. Generate the encrypted IBM Tivoli Netcool/OMNIbus root password by using the ConfigKeyFile.

    • To create the encrypted password, run the following command:

      $OMNIHOME/bin/nco_aes_crypt -c AES_FIPS -k string -o <encrypted_file> -k <key_file> <root_plain_text_pwd>
      

      Note: For more information about generating a key in a key file, see Generating a key in a key file.

  5. Apply the configurations in the properties file of the bidirectional gateway:

    Gate.ObjectServerA.Password  : '<encrypted_root_pwd>'
    Gate.ObjectServerB.Password  : '<encrypted_root_pwd>'
    ConfigKeyFile                : '<key_file>'
    
  6. Place the following files in the $NCHOME/etc/security directory to enable FIPS mode in IBM Tivoli Netcool/OMNIbus:

    • fips.conf:

      SP800_131MODE=TRUE
      TLS12_ONLY=TRUE
      
    • sslciphers.conf:

      sslv3_remove=_
      tls10_remove=_
      tls11_remove=_
      tls12_remove="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"
      
  7. Start the ObjectServer pair and the bidirectional gateway.

    • To start the ObjectServer, run the following command on the host:

      $OMNIHOME/bin/nco_objserv -name <OS_NAME> -propsfile <objectserver-properties-file> &
      

      For example,

      $OMNIHOME/bin/nco_objserv -name AGG_P -propsfile $OMNIHOME/etc/AGG_P.props &
      
    • To start the bidirectional gateway, run the following command on the host:

      $OMNIHOME/bin/nco_g_objserv_bi -propsfile <gateway-properties-file> &
      

      For example,

      $OMNIHOME/bin/nco_g_objserv_bi -propsfile $OMNIHOME/etc/AGG_GATE.props &