Highlighted
Absent Member.. Absent Member..
Absent Member..
161 views

What is the FIPS 140-2 compliant way to install a CA signed certificate

In a new installation of NNMi 10.20, FIPS 140-2 compliance is enabled by default. If a CA signed certificate is added to the keystore, and com.hp.ov.nms.ssl.KEY_ALIAS is set in nms-local.properties to reference it, then the system generates the error "only SunJSSE KeyManagers may be used". The deployment guide explicitly states that the keystore may only contain one certificate, presumably for this reason though that is not stated. Elsewhere in the deployment guide, use of KEY_ALIAS is documented so the guide is inconsistent. This should be fixed.

I read somewhere, but now I can't find it, that the certificate is used to encrypt postions of the embedded database which implies that the instructions to replace the certificate, rather than adding the new one, would be incorrect.

The solution in KM02597943 is to replace java.security with the version that does not require JsafeJCE.

Is there a procedure to keep JsafeJCE and to use a CA signed certificate?

 

0 Likes
1 Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: What is the FIPS 140-2 compliant way to install a CA signed certificate

George,

  When you install a new installation of 10.20 ( and not upgrade from 10.0 or 10.1 ) then the certificate store is changed from the old JCE to a PKCS12 format.  The file names   nnm.keystore and nnm.truststore  are no longer used and instead nnm-key.p12 and nnm-trust.p12 are used.   The use of KEY_ALIAS is also no longer used as you only store one certificate in the new keystore and this should be the server certificate.  It can either be a selfsigned or a CA chain of certificates.

  Another feature of 10.20 is that the encryption of the secret key that allows access to the database is now done using a different keystore and these server certificates are no longer used for this purpose.  This greatly simplifies things when you are updating or changing the server certs.

  You should be able to install a CA certificate into the new key store using the steps in the Deployment Guide.  I followed them for my servers and they appear to be complete - just read the text carefully, especially if you are used to doing this the "old way" on 10.1 and prior.

  If you still hit a problem then please open a support case and we can get things checked out, but revert any changes you have made e.g. the KEY_ALIAS etc and then just proceed to delete the new nnm-key.p12 file and recreate it using the instructions from the DG.

  good luck, I hope this helps

Dave Y

MicroFocus Support
Viewed the Support tips? Search for "(NNMi) Support Tips" and order by Date to get the list
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of MicroFocus
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.