Enable FIPS-Compliant Encryption

By default, when
DX NetOps Performance Management
synchronizes the SNMP profiles to Federal Information Processing Standards (FIPS)-compatible data sources, it encrypts the following parameters using a FIPS-compliant algorithm:
  • SNMPv1/v2c:
    • Community Name
  • SNMPv3:
    • User Name
    • Authentication Password
    • Privacy Password
FIPS-compatible data sources include the data aggregator, the event manager, and
DX NetOps Spectrum
. For other data sources,
DX NetOps Performance Management
synchronizes these parameters using a non-FIPS-compliant algorithm.
For more information, see SNMP Profiles.
You can also configure
DX NetOps Performance Management
to use FIPS-compliant encryption and hashing algorithms (where applicable) for user passwords and Single Sign-On. By default, FIPS-compliant encryption is not enabled.
DX NetOps Performance Management
is not fully FIPS-compliant. FIPS-compliant encryption does not meet full FIPS compliance.
Enable FIPS-Compliant Encryption
To avoid disabling the data aggregator data source and getting FIPS-compatibility synchronization errors, if you are in the process of upgrading the data aggregator, enable FIPS-compliant encryption after the process is complete.
For more information this error, see Upgrading.
When you enable FIPS-compliant encryption:
  • You cannot register or use data sources which do not support FIPS.
  • Registered data sources that do not support FIPS are disabled.
Enabling FIPS-compliant encryption is not reversible. You can only roll back the configuration by restoring the
netqosportal
and
em
NetOps Portal
databases.
For more information, see Restore NetOps Portal.
Enable FIPS-compliant encryption during non-business hours. Any active user sessions are invalidated when you enable FIPS-compliant encryption. Users will need to log back in. The logs might also temporarily show encryption errors when these user sessions are invalidated.
Follow these steps:
  1. Back up the
    netqosportal
    NetOps Portal
    database.
    For more information, see Back Up NetOps Portal.
  2. Open a terminal session on the
    NetOps Portal
    host (as root or with the
    sudo
    command.
  3. Launch the Single Sign-On Configuration tool by issuing the
    ./SsoConfig
    command in the following directory:
    <installation_directory>
    /PerformanceCenter
    /opt/CA
    is the default installation directory.
    You are prompted to select an option. The available options correspond to data source running on the local server.
    Use the following commands as needed while you are selecting settings:
    • q
      (quit)
    • b
      (go back to the previous menu)
    • u
      (update)
    • r
      (reset)
  4. Enter
    1
    for the
    1. DX NetOps
    option to configure
    NetOps Portal
    (CAPC) security settings.
    You are prompted to choose a configuration option.
  5. Enter
    3
    for the
    3. Security Settings
    option to configure
    NetOps Portal
    (DX NetOps) security settings.
    You are prompted to specify the priority.
    The
    Priority
    parameter only applies to
    NetOps Portal
    .
  6. Enter
    one
    of the following options:
    • 1. Remote Value
      Propagates these settings to the data sources that are registered to this instance of
      NetOps Portal
      , including the Event Manager service, which embeds the
      NetOps Portal
      URL.
      NetOps Portal
      uses these settings only if a corresponding
      Local Override
      value is not present. To configure the scheme or port to include the correct
      NetOps Portal
      URL in threshold event email messages, use
      Remote Value
      .
    • 2. Local Override
      Overrides a setting only on this
      NetOps Portal
      instance. This setting takes precedence over the
      Remote Value
      setting and the default settings.
      You are prompted to select a property to configure.
  7. Enter
    7
    for the
    7: Enable FIPS
    to configure
    DX NetOps Performance Management
    to use FIPS-compliant encryption and hashing algorithms FIPS.
  8. Follow the prompts in the console.
DX NetOps Performance Management
is configured to use FIPS-compliant encryption and hashing algorithms.
Next Steps
Verify that the system is working. Store the most recent
NetOps Portal
backup in a secure location in case you have to roll back the configuration. Remove previous
NetOps Portal
backups or store the backups in a secure location.
Passwords in backups from before you enable FIPS-compliant encryption do not use FIPS-compliant encryption.