The SMS supports three levels of FIPS operation:
Disabled: No FIPS compliance actions or restrictions are activated in the SMS server.
Crypto Only: The only SMS functionality affected by this mode is the connection between an SSH client and the SMS server. When a connection is made from an SSH client to the SMS server, the SSH client negotiates connections using only FIPS 140-2 approved algorithms.
Full-FIPS: SMS operates in a manner that is compliant with the FIPS 140-2 publication.
Transitioning an SMS server to operate in Full-FIPS mode implements changes to core elements of the SMS server.
- Deletes all existing SMS users.
- Removes all SMS backup and device snapshots stored on the SMS server.
- Deletes all custom responder action's
- Regenerates SSH server and HTTPS web security keys.
The transition process reboots the SMS server and requires you to upload a new SMS key package to the SMS server. Placing the SMS server into one of the FIPS modes does not necessarily mean the SMS server is operating in compliance with FIPS 140-2. In order to operate in compliance with FIPS 140-2, you must place the SMS server into Full-FIPS mode and satisfy the following conditions:
- The external database replication feature cannot be enabled.
- The failed-lockout attempts counter must remain activated for all users.
- The password security level setting for each SMS user should remain at or above level 1.
Note: An SMS server operating in Full-FIPS mode cannot be configured as part of an SMS HA cluster. It must operate as a standalone SMS server.
Because security must be tightened while the SMS server is operating in Full-FIPS mode, the following restrictions are in effect:
- The SMS will perform software integrity self-test each time the SMS boots. If this test fails the SMS server will not be operational.
- The SSH terminal will negotiate connections using only FIPS 140-2 approved algorithms.
- You are not permitted to restore SMS backups that were created when SMS was not in Full-FIPS mode.
- You cannot import or execute custom Responder Actions.
- The SMS user password security is restricted to a minimum level of 1.
- You cannot perform password recovery.
- You are not permitted to use custom web security SSL certificates.
- The SMS hardware appliance must have a BIOS password enabled and set.
- It is recommended that the boot device section of the BIOS in the SMS hardware appliance be configured such that the only device configured as a boot device is the main hard drive.
How To: Common Task
- Log in to the SMS from a client.
- On the SMS toolbar, navigate to the Admin->Server Properties tab.
- Select the Management tab.
How To: Place the SMS Server into FIPS Crypto-Only Mode
- In the FIPS mode area, click Edit.
- Select Crypto Only as the Requested State.
- Click OK.
- On the SMS server, the SSH daemon (service) restarts, which terminates all existing SSH client connections. Depending on the SSH software used to create the connection with the SMS server, the terminated connections may be automatically retried, or you may be required to manually initiate a new connection.
How To: Prepare for Placing the SMS Server into FIPS Full-FIPS Mode
- Verify that the version and patch level of your SMS server is fully FIPS by checking the Certification Status field in the FIPS-mode area, located in the Admin -> Management tab. Operating in Full-FIPS mode does not guarantee the SMS server is in compliance with FIPS 140-2. The SMS software itself, including the SMS server, the SMS client, and installed SMS patches, must all be certified as complying with the FIPS 140-2 publication. As well, certain configuration changes to the SMS server after the transition to Full-FIPS mode may rescind the server compliance with FIPS140-2.
- Document all existing SMS users. All existing SMS accounts will be removed as part of the transition to Full-FIPS mode. After the transition completes, you should recreate the user accounts, however, for security purposes you should not use the exact same usernames and passwords.
- SMS backup stored on the SMS server, as well as device snapshots, should be moved off the SMS server and onto a secure storage system. All backup files and device snapshots that are stored on the SMS server are deleted as part of the transition to Full-FIPS mode.
- Verify you have access to FIPS keys that are available for download from the TMC. You need to enter these FIPS keys as part of the transition to Full-FIPS mode.
- Verify the browsers and SSH clients you use to connect to the SMS server support the Transport Layer Security (TLS) 1.0 protocol, sometimes referred to as SSL 3.1. TLS 1.0 support is required to connect to an SMS server running in Full-FIPS mode.
How To: Place the SMS Server into FIPS Full-FIPS Mode
- In the FIPS Mode area, click Edit.
- Select Full-FIPS as the Requested State.
- Create a new SMS user account, which will be the only active account after the transition to Full-FIPS mode. This user account and password should NOT match the credentials of any SMS account that existed prior to enabling Full-FIPS mode.
- Click OK. The SMS server reboots and begins the process of becoming FIPS 140-2 compliant. The process includes deleting all existing SMS users, removing all SMS backups and device snapshots stored on the SMS server, deleting custom responder actions, and regenerating all SSH server and HTTPS web security keys and certificates.
- Enter the SMS FIPS key package by connecting to the SMS server via a web browser and uploading the key to the SMS server
- After the SMS server finishes its reboots, the transition to Full-FIPS mode is incomplete until the SMS FIPS key package is loaded. If you have not already downloaded the FIPS key package, download it from the TMC. Next, open a web browser and connect to the SMS server by entering its hostname or IP address in the address bar. Follow the SMS server prompts to upload the SMS FIPS key package.
- After the new key is entered, the SMS server again reboots. When it completes the reboot, the transition to Full-FIPS mode is complete and you can connect to the SMS server through the command-line interface, web browser, SSH client, and SMS client.
How To: Take the SMS Server out of FIPS Mode
Disabling FIPS mode invokes significant changes to the SMS server, including removing all existing user accounts, removing all backups and device snapshots that are currently stored on the SMS server, and restores the original SMS keys.
- In the FIPS mode area, click Edit.
- Select Disabled as the Requested State.
- When prompted create a new SuperUser account. Note that user accounts that existed prior to disabling FIPS mode will be deleted.
Reference: SMS User Guide