FIPS Compliance - ManageEngine OpUtils

    FIPS compliance, also know as Federal Information Processing Standards (FIPS), represents a comprehensive set of standards developed by the United States government. These standards are designed to safeguard sensitive government data, both classified and unclassified, residing within computer systems and networks. It is imperative for all U.S. federal agencies and contractors entrusted with handling sensitive information to adhere to these standards. The overarching objective is to ensure that cryptographic methods and Key Management Systems (KMS) employed by federal agencies and private entities collaborating with the government are robust and secure in protecting sensitive data.

    The National Institute of Standards and Technology (NIST) prescribes specific encryption and key generation techniques that any tool must follow to attain FIPS compliance. Modules conforming to FIPS 140-2 have gained recognition and widespread adoption among federal agencies in both the United States and Canada as a means of safeguarding sensitive information.

    Now, ManageEngine OpUtils offers the capability to run in FIPS-compliant mode, aligning itself with the stringent standards set forth by the U.S. government. Activating FIPS mode within OpUtils ensures that the application becomes FIPS 140-2 compliant and operates exclusively using FIPS-approved cryptographic algorithms.

    Prerequisites for achieving FIPS compliance:

    To attain FIPS compliance for your entire environment or organization, you must fulfill the following requirements:

    Fresh Installation: FIPS mode can only be enabled during the initial installation setup. It is strongly recommended to activate FIPS mode during the initial installation process rather than attempting to enable it during an upgrade of OpUtils.

    FIPS Compliant OS: Ensure that OpUtils is installed on a device equipped with a FIPS-compliant operating system to guarantee compatibility with FIPS standards.

    SNMP v3 Credentials: Given that only SNMP v3 credentials are FIPS compliant, it is essential to transition all SNMP credentials to SNMP v3.

    Mail Server Compatibility: Verify that your User's Mail server version is compatible with either TLSv1.2 or TLSv1.3, as these versions are supported in FIPS mode.

    FIPS-Compliant Authentication and Privacy Methods: In a FIPS-compliant environment, all authentication and privacy methods must adhere to the standards specified in FIPS 140-2.

    Configuring FIPS in OpUtils:

    In OpUtils, FIPS mode ensures that only secure and FIPS-compliant algorithms, aligned with the requirements of the FIPS standards, are used for cryptographic operations. To activate FIPS Mode, follow these steps:

    To enable FIPS Mode, follow these steps:

    • Open command prompt in administrative mode, navigate to < opmanagerhome >/bin directory and then run configureFIPSMode.bat / configureFIPSMode.sh file. After successful execution of the batch, the trace "FIPS configuration script executed successfully" will be seen.

    FIPS compliance  

    Note:

    • Ensure that OpUtils' service is completely stopped before enabling FIPS mode.
    • FIPS mode can only be enabled during a fresh installation; therefore, it is recommended to perform a fresh installation of the product for successful FIPS mode activation.
    • FIPS mode cannot be disabled once it has been enabled.

    What will change after FIPS mode has been enabled?

    Enabling FIPS mode in OpUtils introduces several significant changes aimed at enhancing security and ensuring compliance with FIPS guidelines:

    Device Communication:

    • SNMP v3 communication becomes FIPS compliant.
    • Weak ciphers used by CLI and SMI protocols are disabled, and only FIPS compliant protocols are utilized.
    • WMI protocol communication remains unaffected as long as both sender and receiver use WMI.
    • REST API communication follows FIPS compliance when enabled.
    • It's important to note that once FIPS mode is enabled, it cannot be disabled.

    Communication with Third-Party Integrations:

    • HTTPS with only strong, FIPS compliant ciphers will be used for communication with third-party integrations..

    Changes in Certificates:

    • In FIPS mode, the pfx file format and PKCS12 certificate type are restricted. OpUtils' FIPS-compliant version utilizes the BCFKS keystore type.
    • Pre-configured SSL certificates will be converted to BCFKS format upon enabling FIPS mode. The SSL certificate in BCFKS format with ".keystore" extension can be imported via the UI to enable SSL.

    Internal Communication:

    • Communication via Mail server will adhere to FIPS compliance.
    • Passwords and saved data will be automatically converted to FIPS compliant formats.

    Limitations of FIPS Mode:

    • Radius authentication is not FIPS compliant, and therefore, it will be removed upon enabling FIPS mode.
    • MSSQL with Windows authentication is not supported in FIPS mode.
    • MSSQL versions 2014 & below are not supported in FIPS mode due to the use of Non-FIPS compliant algorithms in those versions.

    By enabling FIPS mode, OpUtils ensures heightened security, adherence to industry standards, and protection against potential vulnerabilities that may arise from weak cryptographic protocols and algorithms. It provides a robust framework for safeguarding data communication and integrations within the system while strictly adhering to FIPS guidelines.