Enable FIPS-Compliant Encryption
By default, when
DX NetOps Performance Managementsynchronizes the SNMP profiles to Federal Information Processing Standards (FIPS)-compatible data sources, it encrypts the following parameters using a FIPS-compliant algorithm:
- Community Name
- User Name
- Authentication Password
- Privacy Password
FIPS-compatible data sources include the data aggregator, the event manager, and
DX NetOps Spectrum. For other data sources,
DX NetOps Performance Managementsynchronizes these parameters using a non-FIPS-compliant algorithm.
For more information, see SNMP Profiles.
You can also configure
DX NetOps Performance Managementto use FIPS-compliant encryption and hashing algorithms (where applicable) for user passwords and Single Sign-On. By default, FIPS-compliant encryption is not enabled.
DX NetOps Performance Managementis not fully FIPS-compliant. FIPS-compliant encryption does not meet full FIPS compliance.
Enable FIPS-Compliant Encryption
To avoid disabling the data aggregator data source and getting FIPS-compatibility synchronization errors, if you are in the process of upgrading the data aggregator, enable FIPS-compliant encryption after the process is complete.
For more information this error, see Upgrading.
When you enable FIPS-compliant encryption:
- You cannot register or use data sources which do not support FIPS.
- Registered data sources that do not support FIPS are disabled.
Enabling FIPS-compliant encryption is not reversible. You can only roll back the configuration by restoring the
For more information, see Restore NetOps Portal.
Enable FIPS-compliant encryption during non-business hours. Any active user sessions are invalidated when you enable FIPS-compliant encryption. Users will need to log back in. The logs might also temporarily show encryption errors when these user sessions are invalidated.
Follow these steps:
- Back up thenetqosportalNetOps Portaldatabase.For more information, see Back Up NetOps Portal.
- Open a terminal session on theNetOps Portalhost (as root or with thesudocommand.
- Launch the Single Sign-On Configuration tool by issuing the./SsoConfigcommand in the following directory:<installation_directory>/PerformanceCenter/opt/CAis the default installation directory.You are prompted to select an option. The available options correspond to data source running on the local server.Use the following commands as needed while you are selecting settings:
- b(go back to the previous menu)
- Enter1for the1. DX NetOpsoption to configureNetOps Portal(CAPC) security settings.You are prompted to choose a configuration option.
- Enter3for the3. Security Settingsoption to configureNetOps Portal(DX NetOps) security settings.You are prompted to specify the priority.ThePriorityparameter only applies toNetOps Portal.
- Enteroneof the following options:
- 1. Remote ValuePropagates these settings to the data sources that are registered to this instance ofNetOps Portal, including the Event Manager service, which embeds theNetOps PortalURL.NetOps Portaluses these settings only if a correspondingLocal Overridevalue is not present. To configure the scheme or port to include the correctNetOps PortalURL in threshold event email messages, useRemote Value.
- 2. Local OverrideOverrides a setting only on thisNetOps Portalinstance. This setting takes precedence over theRemote Valuesetting and the default settings.You are prompted to select a property to configure.
- Enter7for the7: Enable FIPSto configureDX NetOps Performance Managementto use FIPS-compliant encryption and hashing algorithms FIPS.
- Follow the prompts in the console.
DX NetOps Performance Managementis configured to use FIPS-compliant encryption and hashing algorithms.
Verify that the system is working. Store the most recent
NetOps Portalbackup in a secure location in case you have to roll back the configuration. Remove previous
NetOps Portalbackups or store the backups in a secure location.
Passwords in backups from before you enable FIPS-compliant encryption do not use FIPS-compliant encryption.