SSL and FIPS 140-2 support

The Tivoli Event Integration Facility supports the use of the Secure Sockets Layer (SSL) encryption and authentication protocol to send and receive events. In addition, EIF SSL connections can operate in FIPS 140-2 mode, which means the use of FIPS 140-2 approved cryptographic providers.

SSL uses digital certificates for key exchange and authentication. When a client initiates an SSL connection, the server presents the client with a certificate that is signed by a certificate authority (CA). A CA is a trusted party that guarantees the identity of the certificate and its creator. The server certificate contains the identity of the server, the public key, and the digital signature of the certificate issuer.

In FIPS 140-2 mode, all encryption and key generation functions that are required for the secure SSL connections are provided by FIPS 140-2 approved cryptographic providers. These providers are the same providers that are used for FIPS 140-2 mode for the main Tivoli Netcool/OMNIbus product. FIPS 140-2 support is provided as follows for each version of the EIF API:

  • For C programming languageFIPS 140-2 mode is facilitated by the use of IBM® Global Security Kit (GSKit). Ensure that the path to the GSKit libraries appears in the following environment variables:
    Operating system Environment variables
    UNIX LIBPATH, SHLIB_PATH, or LD_LIBRARY_PATH
    Windows PATH
    GSKit can be accessed from $NCHOME/bin on UNIX operating systems, or from %NCHOME%\bin on Windows operating systems.
    Restriction: SSL support is unavailable in the EIF C API for platforms that are not supported by GSKit.
  • For Java
programming languageFIPS 140-2 mode is facilitated by the use of IBM Java™ runtime environment (JRE) 1.4.2 or higher. The JRE must be configured for FIPS 140-2 mode.

Enabling FIPS 140-2 mode

To enable FIPS 140-2 mode:

  1. Edit the EIF configuration file and set the channel_nameSSLFIPSMode property to ON.
  2. For all Java based applications, configure the Java runtime environment for FIPS 140-2 mode.
  3. If an EIF receiver application is enabled for FIPS 140-2 mode, enable FIPS 140-2 mode for all EIF client programs that connect to the receiver.

Generating and managing key and digital certificates

If you configure SSL in the EIF configuration file, use the nc_gskcmd command-line utility or the iKeyman graphical utility to generate and manage keys and digital certificates that are required for SSL communication. The following table describes the keys and certificates to manage and explains them in the context of the EIF.

Table 1. Configuration and usage of key database file for SSL and FIPS 140-2 operations of the EIF
Database file Description Instructions
Keystores for the EIF receiver applications The keystore of the receiver is a key database. The default personal certificate of the keystore is presented by the EIF receiver to EIF clients during an SSL connection. This certificate can be either a self-signed certificate that you create, or a certificate that is obtained from and signed by a CA. The certificate must be set as the default personal certificate in the key database of the receiver. The following database formats are used:
  • For C programming languageCMS
  • For Java
programming languageJKS
Create keystores for EIF receiver applications.

Use the channel_nameSSLKeystore configuration keyword to configure the EIF receiver to use a key database as its keystore. If an EIF receiver application uses the configuration keyword, that is, if the channel_nameSSLRequireClientAuthentication keyword is set to YES, clients must also present a certificate during an SSL connection. The keystore of the receiver must then contain not only the personal certificate of the receiver, but also the default personal certificates of any trusted clients. Import these trusted certificates into the keystore of the receiver.

Keystores for EIF client applications The keystore of the client is a key database that contains the default personal certificates of any EIF receiver applications that are trusted by the EIF client. Import these trusted certificates into the keystore of the client so that the client can connect to the EIF receiver that is using SSL. The following database formats are used:
  • For C programming languageCMS
  • For Java
programming languageJKS
Create keystores for EIF client applications.

Use the channel_nameSSLKeystore configuration keyword to configure the EIF receiver to use a key database as its keystore. If an EIF receiver application uses the configuration keyword, that is, if the channel_nameSSLRequireClientAuthentication keyword is set to YES, clients must also present a certificate during an SSL connection. The keystore of the receiver must then contain not only the personal certificate of the receiver, but also the default personal certificates of any trusted clients. Import these trusted certificates into the keystore of the receiver.

Truststores Truststores are key databases that contain certificates that are trusted by an EIF application. Any EIF application, whether client or receiver, can use a single key database to hold both trusted certificates and the default personal certificate of the application. Use the channel_nameSSLKeystore keyword to configure truststores.

For Java
programming languageYou can also use one key database to hold trusted certificates, and a second key database to hold the default personal certificate of the application. Use the channel_nameSSLTruststore keyword to specify the key database that contains the trusted certificates. Use the channel_nameSSLKeystore keyword to specify the key database that contains the default personal certificate of the application.

Stash file   For C programming languageFor automatic login to access the digital certificates, save the password for a key or trust database in encrypted format to a stash file. Whenever the keystore or truststore is accessed, the system checks whether a stash file exists. If found, the file contents are decrypted and used as input for the password.

For Java
programming languageTo create and store encrypted passwords for applications, use the com.tivoli.tec.event_delivery.common.Encryption script.

Ciphers The sending and receiving ends of the EIF connection must have at least one cipher in common in order for the connection to succeed. FIPS 140–2 mode restricts the ciphers that are allowed for both the C and Java versions of EIF Use the SSLCipherList keyword to specify the ciphers that are permitted during SSL authentication. If no ciphers are specified or restricted, all available ciphers are permitted.
For C programming languageThe following ciphers are available:
  • SSL_RC2_CBC_128_CBC_WITH_MD5
  • SSL_RC2_CBC_128_CBC_EXPORT40_WITH_MD5
  • SSL_DES_64_CBC_WITH_MD5
  • SSL_DES_192_EDE3_CBC_WITH_MD5
  • SSL_NULL_WITH_NULL_NULL
  • SSL_RSA_WITH_NULL_MD5
  • SSL_RSA_WITH_NULL_SHA
  • SSL_RSA_EXPORT_WITH_RC4_40_MD5
  • SSL_RSA_WITH_RC4_128_MD5
  • SSL_RSA_WITH_RC4_128_SHA
  • SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
  • SSL_RSA_WITH_DES_CBC_SHA

For Java
programming languageAny cipher that is supported by the IBM JRE is valid. For all the supported ciphers, see the Java Secure Socket Extension (JSSE) IBMJSSE2 Provider Reference Guide for the Java 2 SDK, Standard Edition, Version 5 at http://www.ibm.com/developerworks/java/jdk/security/50/secguides/jsse2Docs/JSSE2RefGuide.html.