How to enable FIPS on the Data Repository database server at the OS level
search cancel

How to enable FIPS on the Data Repository database server at the OS level

book

Article ID: 214018

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Currently running DX NetOps Performance Management in a secure environment without FIPS enabled.

New security requirements state FIPS MUST be enabled on the DX NetOps Performance Management Data Repository Vertica database.

After enabling FIPS on the Vertica DR DB cluster node(s) and stopping the DB it will not restart. It will only restart after FIPS is disabled again at the OS level.

The following error may be seen when trying to start the DB after enabling FIPS on the OS. The error would be seen in the /opt/vertica/log/adminTools.log file.

2021-05-04 14:00:11.526 at_exec/25317:0x7f52dc506740 [CatalogEditor._recorded_readline] <INFO> Next line of response was ['Cannot enable FIPS mode. 139785270915776:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported:o_fips.c:93:\n']

How can we enable FIPS at the OS level while maintaining a functional Data Repository database?

Environment

All supported DX NetOps Performance Management Data Repository releases

Cause

There is no ability to enable FIPS on a the OS of an existing Data Repository Vertica database cluster.

This is a Vertica database limitation.

Resolution

To enable FIPS on an existing Data Repository Vertica database cluster requires migration to new hosts using a specific process.

Without following these tested steps the database is unlikely to start or operate normally.

  1. Install a new Vertica cluster with FIPS enabled at the OS level during the installation.
    1. Enable FIPS at the OS level.
    2. Prepare to Install the Data Repository
    3. Install the Data Repository
  2. Disable FIPS at the OS level post Vertica install.
  3. Migrate the Data Repository has steps to migrate the database from old to new systems using the Vertica copycluster tool.
  4. Modify the security_algorithm for the dauser to prepare for FIPS being enabled.
    1. Open a VSql prompt on the new system post database migration
      1. Log into the CLI of a database node as the dradmin user.
      2. Go to /opt/vertica/bin
      3. Run "./vsql" and enter the password for the database when prompted.
        • Same password used to stop/start the database via adminTools UI,
    2. Run the command: select * from password_auditor;
      • Non-FIPS enabled users would show a security_algorithm value = MD5.
      • FIPS enabled need to change from MD5 to SHA512 encryption as required by FIPS.
      • Example output:
    3. Run the following command to change the dauser security_algorithm value from MD5 to SHA512.
      • alter user dauser security_algorithm 'SHA512' identified by '<dapass>'; 
      • NOTE: Replace <dapass> with the dauser password.
      • This sample shows the successful command run when the default 'dapass' password is used.
    4. Run the following command to confirm the change.
      • select * from password_auditor;
      • The dauser should now us SHA512 for security_algorithm. Not MD5.
  5. Re-enable FIPS at the OS level on the new database cluster.
  6. Validate the DB is successfully stopped and started with FIPS enabled.
Powered by Wolken Software