FIPS Compliance in ManageEngine OpManager

FIPS (Federal Information Processing Standards) compliance comprises a set of standards developed by the US government, aimed at ensuring the security of sensitive and non-sensitive government data in computer systems and networks. Compliance with these standards is mandatory for all US federal agencies and contractors that handle sensitive information. The primary goal is to ensure that federal agencies and private organizations working with the government implement secure cryptographic methods and Key Management Systems (KMS) to safeguard sensitive data.

The National Institute of Standards and Technology recommends specific encryption and key generation techniques that a tool must adhere to for FIPS compliance. The modules conforming to FIPS 140-2 are recognized and widely used by Federal Agencies in both the U.S. and Canada to protect sensitive information.

Now, you can run OpManager in FIPS compliant mode, aligning with the standards set by the US government. Enabling FIPS mode in OpManager ensures that it becomes FIPS 140-2 compliant and operates using only FIPS-approved algorithms.

Pre-requisites for FIPS Compliance:

To achieve FIPS compliance for your entire environment or organization, you need to meet the following criteria:

Fresh Installation: FIPS mode can only be enabled during a fresh installation setup. We highly recommend enabling FIPS mode during the initial installation rather than upgrading OpManager.

FIPS Compliant OS: Install OpManager on a device with a FIPS compliant operating system to ensure compatibility with FIPS requirements.

SNMP v3 Credentials: As only SNMP v3 credentials are FIPS compliant, it's essential to change all SNMP credentials to SNMP v3.

Mail Server Compatibility: Ensure that your User's Mail server version is compatible with TLSv1.2 or TLSv1.3, as these versions will be supported in FIPS mode.

FIPS-Compliant Authentication and Privacy Methods: All authentication and privacy methods used in the FIPS compliant environment should adhere to FIPS 140-2 standards.

How to Configure FIPS in OpManager:

Enabling FIPS mode in OpManager ensures that, only secure and FIPS-compliant algorithms, which align with the security requirements outlined in the FIPS standards are utilized in cryptographic operations.

To enable FIPS Mode, follow these steps:

  • Open command prompt in administrative mode, navigate to < opmanagerhome >/bin directory and then run configureFIPSMode.bat / configureFIPSMode.sh file. After successful execution of the batch, the trace "FIPS configuration script executed successfully" will be seen.

FIPS compliance  

Note:

  • Ensure that OpManager's service is completely stopped before enabling FIPS mode.
  • Remember that FIPS mode can only be enabled during a fresh installation, so it's recommended to fresh install the product to enable FIPS mode successfully.
  • After enabling FIPS mode, IPSLA-based WAN monitoring and VoIP monitoring won't function.
  • FIPS mode cannot be disabled once it has been enabled.

What will change after FIPS mode has been enabled?

Enabling FIPS mode in OpManager brings about several significant changes to enhance security and ensure compliance with FIPS guidelines:

Device Communication:

  • SNMP v3 communication becomes FIPS compliant.
  • Weak ciphers used by CLI and SMI protocols are disabled, and only FIPS compliant protocols are utilized.
  • WMI protocol communication remains unaffected as long as both sender and receiver use WMI.
  • REST API communication follows FIPS compliance when enabled.
  • In case the RDP feature is not working for Windows 2016 and above after making OpManager FIPS compliant, refer to the provided link for assistance.
  • It's important to note that once FIPS mode is enabled, it cannot be disabled.

Communication with Third-Party Integrations:

  • HTTPS with only strong, FIPS compliant ciphers will be used for communication with third-party integrations..

Changes in Certificates:

  • In FIPS mode, pfx file format and PKCS12 certificate type are restricted. Instead, the BCFKS keystore type is utilized in OpManager's FIPS compliant version.
  • Pre-configured SSL certificates will be converted to BCFKS format upon enabling FIPS mode. The SSL certificate in BCFKS format with ".keystore" extension can be imported via the UI to enable SSL.

Internal Communication:

  • Data communication between various components, including agent and server, APM plugin to OpManager server, central server and probe server, and application to database, will be secure and FIPS compliant.
  • The Failover migration process and data transmission between the primary and secondary server will be encrypted following FIPS compliance guidelines.
  • Communication via Mail server will also adhere to FIPS compliance.
  • Passwords and saved data will be automatically converted to FIPS compliant formats.

Limitations of FIPS Mode:

  • Radius authentication is not FIPS compliant, and therefore, it will be removed upon enabling FIPS mode.
  • MSSQL with Windows authentication is not supported in FIPS mode.
  • MSSQL versions 2014 & below are not supported in FIPS mode due to the use of Non-FIPS compliant algorithms in those versions.

By enabling FIPS mode, OpManager ensures heightened security, compliance with industry standards, and protection against potential vulnerabilities that may arise from weak cryptographic protocols and algorithms. It provides a robust framework to safeguard data communication and integrations within the system while adhering to the strict FIPS guidelines.