IBM Support

IBM Security Guardium - Can not ssh to appliance if FIPS enabled on 12.0p15

Flashes (Alerts)


Abstract

If FIPS is enabled after 12.0p15 is installed, logging in to the system via ssh will be impacted. If a system that already has FIPS enabled is upgraded to 12.0p15, there is no impact.
Do not enable FIPS on 12.0p15 until actions are taken to resolve this problem.

Content

Cause
Enabling FIPS on 12.0p15 adds KEX algorithms that are disallowed in FIPS mode. This prevents ssh login, which impacts cli users.
Note - Appliances where FIPS was already enabled before 12.0p15 install are not affected. 12.0p15 can be installed on appliances with FIPS enabled.
Prevention
Do not enable FIPS mode on 12.0p15 appliances until one of the patches below is installed.
Solution
If FIPS was already enabled on 12.0p15:
  1. To access an affected system via ssh:
    • ssh -o KexAlgorithms=ecdh-sha2-nistp521 <user e.g. cli>@<host> 
    • Putty is not able to connect with the correct ssh options. A Windows client that can specify ssh options can be used, for example "termius"
      • Example showing ssh options connection with termius:
        • image-20240606090405-1
  2. Install one of these patches in the environment:
    • Table will be updated when patches are available to download
    • Patch release notes contain detailed steps and expected results
      • Patch number Install information Log information Patch file location
        12.0p1105 Ad-hoc patch to fix this issue only. Can be applied to any system individually. Patch actions log is available from fileserver opt-ibm-guardium-log directory: fix_fips_ssh.log Will be updated when patch released
        12.0p1106
        Ad-hoc patch to fix this issue only. Apply to CM and it will fix the CM and all MUs. This patch cannot be applied to a non-CM.
        The managed units must have functional root/cloudsupport passkey set. Otherwise, remotely fixing those units will not be possible.
        Inspect the log file after installing the patch. There may be managed units that were offline. Such units will be skipped. If any MU was offline, when the system shows active in the CM Central Management page, the individual system patch p12.0p1105 can be installed locally in it.
        		 Patch actions log is available from fileserver opt-ibm-guardium-log directory: fix_fips_ssh.log Will be updated when patch released
        12.0p6006 Next scheduled security patch with this fix and other security fixes. Standard patch logging Will be updated when patch released

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z0000001hbcAAA","label":"CLI"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0.0"}]

Document Information

Modified date:
06 June 2024

UID

ibm17156399

Page Feedback