Enabling SP 800-131a support

You use the nzconfigcrypto command to enable support for the SP 800-131a enhanced cryptography on an Netezza Performance Server system.

Before you begin

Your system must be running the required levels of the NPS, Red Hat, and Host Management releases, and the NPS software must be started. See Netezza Performance Server enhanced cryptography support for more information. The nzconfigcrypto script fails if these prerequisites are not met. When you run the command, you must specify an existing host key of type AES-256 as input to the command. If gthe system default host key is already an AES-256 key, you can specify that key name. For more information about creating and setting a host key, see the IBM® Netezza® Advanced Security Administrator's Guide.

Procedure

  1. Log in to the active host of the Netezza Performance Server system as the nz user.
    In these examples, the active host name is nzhost1.
  2. Run the nzconfigcrypto -enable command and specify the host key name.
    The host key must already be defined in your NPS system and must be of type AES-256. An example command follows:
    [nz@nzhost1 ~]$ nzconfigcrypto -HK ks1.key1 -enable
    Checking support for crypto standard in NPS
    Checking support for crypto standard in OS
    Checking for required library
    All required libraries found installed
    Checking NPS system state
    Checking and updating Host Key
    Host Key already set
    Checking and updating LDAP connection
    No LDAP configuration found
    Checking and updating Kerberos connection
    No Kerberos configuration found
    Checking and updating Authentication type
    Checking and updating Audit History Configuration
    No audit history configuration found
    Checking and updating postgresql.conf file
    Successfully updated parameter enable_crypto_std_v1
    
    Crypto mode successfully enabled
    You may now restart NPS

    The script checks the system and sets the system default host key to the specified one (if it is not already the default key). In the example, the system was not configured to use either LDAP or Kerberos authentication, or an audit history configuration. However, if you use either LDAP, Kerberos, or audit history, the command disables those features if they are currently non-compliant with the enhanced cryptography support.

    If Kerberos was enabled on the system, the command also displays the following messages. Note the SET AUTHENTICATION command in the output. You will supply that command in a future step to enable Kerberos authentication again.

    Restore Kerberos configuration with following command
    
    SET AUTHENTICATION kerberos kdc 'mykdc.com'  realm 'MYREALM.COM'
    
    WARNING:
    Kerberos conformance with SP800-131a cannot be controlled by the NPS.
    Verify that the Kerberos netezza principal will use only the des3-cbc-sha1,
    aes128-cts-hmac-sha1-96, or aes256-cts-hmac-sha1-96 encryption types.
    This must be configured on your Kerberos KDC.
  3. Stop and re-start the NPS software by using the nzstop and nzstart commands.
  4. After the NPS software starts, type the nzsql command to log in to the system database as the admin user
    [nz@nzhost1 ~]$ nzsql
    Welcome to nzsql, the IBM Netezza SQL interactive terminal.
    
    Type:  \h for help with SQL commands
           \? for help on internal slash commands
           \g or terminate with semicolon to execute query
           \q to quit
    
    SYSTEM.ADMIN(ADMIN)=>
  5. Confirm that the host key is now set to the stronger key that you specified in the nzconfigcrypto command:
    SYSTEM.ADMIN(ADMIN)=> SHOW SYSTEM DEFAULT HOSTKEY;
    NOTICE:  'HOST KEY' = 'KS1.KEY1'
    SHOW VARIABLE
  6. If you use LDAP authentication for your database user accounts, type the following command to restore the LDAP configuration with the enhanced cryptographic support:
    SYSTEM.ADMIN(ADMIN)=> SET AUTHENTICATION ldap ssl 'on' attrname 'cn'  
    base 'dc=netezza,dc=com'  namecase 'lowercase'  server 'yourldapsvr.company.com'  
    version '3'
  7. If you use Kerberos authentication for your database user accounts, type the command that was displayed in the message output from the nzconfigcrypto -enable command earlier in this procedure to enable the Kerberos configuration:
    SYSTEM.ADMIN(ADMIN)=> SET AUTHENTICATION kerberos kdc 'mykdc.com' realm 'MYREALM.COM';
    Updating /nz/data.1.0/config/krb5.conf and other files.
    Re-log-in or open a new shell for changes to take effect.
    SET VARIABLE
  8. If you had an audit history configuration that was disabled by the script, you can update the history configuration to digitally sign it using a DSA_KEYPAIR_2048 key as in the following sample configuration named audit1:
    SYSTEM.ADMIN(ADMIN)=> ALTER HISTORY CONFIG audit1 KEY ks1.seckey;

    After you alter the audit configuration, you can make it the current configuration to enable that history collection. After you change a history configuration, you must set the new configuration to be the current one, and then stop and restart the NPS software by using the nzstop and nzstart commands to fully enable the audit configuration.

Results

The nzconfigcrypto -enable command verifies that the system can support enhanced cryptography and enables the SP 800-131a support in the Netezza Performance Server system. The command creates a log file named /tmp/crypto_date_time.log to capture the messages and information for later review and troubleshooting.