Enabling FIPS mode

If you need your installation to comply with Federal Information Processing Standards (FIPS), you must enable FIPS mode during the initial configuration.

About this task

Enable FIPS mode only if you must comply with FIPS requirements. There is no advantage to enabling FIPS mode if your installation does not require it. To disable FIPS mode, you must re-image the appliance. When you re-image the appliance, all the policy configuration and appliance settings are lost.

Note: If you enable FIPS mode on your appliance and plan to use the user authentication feature, you must enable TLS 1.0 and TLS 1.1 during the FIPS configuration process to enable the use of Mozilla Firefox or Google Chrome browsers. You do not need to enable TLS 1.0 and TLS 1.1 if all of your network users use Microsoft Internet Explorer.

Procedure

On the Welcome page, click FIPS Mode.
To enable FIPS mode, select Enable FIPS 140-2 mode.
Note: NIST SP800-131a prohibits the use of TLS protocols, version 1.1 or earlier. When you enable FIPS mode on the IBM QRadar Network Security appliance, TLS V1.0, TLS V1.1, and all versions of SSL are automatically disabled for LMI connections. Because TLS V1.2 support is not available in most browsers, you can configure your appliance to accept TLS V1.0 and V1.1 during the initial setup.
To allow users to connect to the LMI using TLS version 1.0 or 1.1, select one or both of the following options:
- Allow TLS V1.0 for LMI sessions
- Allow TLS V1.1 for LMI sessions
Tip: After you complete initial setup, you can configure LMI TLS settings using the following advanced tuning parameters:
- lmi.security.tlsv10 = true/false
- lmi.security.tlsv11 = true/false
Important: Change advanced tuning parameter values only under the supervision of IBM Support.
Click Save Configuration.
Click Yes to confirm.
Note: When you enable FIPS mode, the appliance restarts to run the required integrity checks. After the appliance restarts, log in again to continue the setup process.