Enabling Federal Information Processing Standards (FIPS) support for an IBM Tivoli Netcool/OMNIbus integration
If you plan to integrate IBM Cloud Pak for AIOps with IBM Tivoli Netcool/OMNIbus, you can configure your integration to enable support for Federal Information Processing Standards (FIPS).
Prerequisites
-
You must have an existing FIPS-compliant installation of IBM Cloud Pak for AIOps. You cannot enable FIPS support for the integration on a noncompliant system.
For more information about installing IBM Cloud Pak for AIOps to be FIPS-compliant, see Enabling support for Federal Information Processing Standards (FIPS).
-
You must have an existing FIPS-compliant installation of IBM Tivoli Netcool/OMNIbus.
Procedure
To enable FIPS mode in IBM Tivoli Netcool/OMNIbus, complete the following steps on the host where IBM Tivoli Netcool/OMNIbus (on premises ObjectServer) is running:
-
Stop the ObjectServer pair and the IBM Tivoli Netcool/OMNIbus bidirectional gateway.
-
To stop the ObjectServer, complete the following steps:
-
Open the ObjectServer SQL prompt:
$OMNIHOME/bin/nco_sql -server <OS_NAME> -user root -password <plain-text-pwd>
-
On the SQL prompt, run the following command:
> alter system shutdown; > go
Note: After you enter
go
, the SQL prompt disconnects as the ObjectServer is exiting. -
-
To stop the bidirectional gateway, run the following command:
kill -15 <pid>
where
pid
is Process ID.Note: Use the
ps -ef | grep nco_g_objserv_bi
command to get the gateway's pid.
-
-
Enter the following information in the properties file of both the ObjectServers:
PasswordEncryption : 'AES' ConfigKeyFile : '<key_file>'
Note: To generate the key file, run the following command on the host:
$OMNIHOME/bin/nco_keygen -o <key_file> -l 256
-
Start the ObjectServer pair and update the same FIPS-compliant password for the root user in each ObjectServer.
-
To start the ObjectServer, run the following command:
$OMNIHOME/bin/nco_objserv -name <OS_NAME> -propsfile <objectserver-properties-file> &
-
To open the ObjectServer SQL prompt, run the following command:
$OMNIHOME/bin/nco_sql -server <OS_NAME> -user root -password <plain-text-pwd>
-
To alter root password, run the following SQL command:
> alter user 'root' set password '<plain_text_pwd>'; > go
-
To verify that the Passwd column contains AES-encrypted passwords with 24 characters, run the following SQL command:
> select UserName,Passwd from security.users; > go
-
-
Generate the encrypted IBM Tivoli Netcool/OMNIbus root password by using the ConfigKeyFile.
-
To create the encrypted password, run the following command:
$OMNIHOME/bin/nco_aes_crypt -c AES_FIPS -k string -o <encrypted_file> -k <key_file> <root_plain_text_pwd>
Note: For more information about generating a key in a key file, see Generating a key in a key file.
-
-
Apply the configurations in the properties file of the bidirectional gateway:
Gate.ObjectServerA.Password : '<encrypted_root_pwd>' Gate.ObjectServerB.Password : '<encrypted_root_pwd>' ConfigKeyFile : '<key_file>'
-
Place the following files in the
$NCHOME/etc/security
directory to enable FIPS mode in IBM Tivoli Netcool/OMNIbus:-
fips.conf
:SP800_131MODE=TRUE TLS12_ONLY=TRUE
-
sslciphers.conf
:sslv3_remove=_ tls10_remove=_ tls11_remove=_ tls12_remove="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"
-
-
Start the ObjectServer pair and the bidirectional gateway.
-
To start the ObjectServer, run the following command on the host:
$OMNIHOME/bin/nco_objserv -name <OS_NAME> -propsfile <objectserver-properties-file> &
For example,
$OMNIHOME/bin/nco_objserv -name AGG_P -propsfile $OMNIHOME/etc/AGG_P.props &
-
To start the bidirectional gateway, run the following command on the host:
$OMNIHOME/bin/nco_g_objserv_bi -propsfile <gateway-properties-file> &
For example,
$OMNIHOME/bin/nco_g_objserv_bi -propsfile $OMNIHOME/etc/AGG_GATE.props &
-