search cancel

How to enable FIPS on the Data Repository database server at the OS level

book

Article ID: 214018

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Running r20.2.7 in a secure government environment.

New STIG requirements call for FIPS being enabled on the DX NetOps Performance Management Data Repository Vertica database.

The environment uses a single node DR DB.

When FIPS is enabled the DB fails to restart after being stopped. See case 32674815 for that situations history.

How can we enable FIPS at the OS level while maintaining a functional Data Repository database?

Cause

Possible message printed in /opt/vertica/log/adminTools.log

2021-05-04 14:00:11.526 at_exec/25317:0x7f52dc506740 [CatalogEditor._recorded_readline] <INFO> Next line of response was ['Cannot enable FIPS mode. 139785270915776:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported:o_fips.c:93:\n']

Environment

Dc NetOps Performance Management 20.2

Resolution

There is no way to enable FIPS for an existing Data Repository Vertica installation.

Doing so requires migration to new hosts in a specific process. Without following these steps the database is unlikely to start or operate normally.

  1. Install a new Vertica cluster with FIPS enabled at the OS level during the installation.
  2. Disable FIPS at the OS level post Vertica install.
  3. Migrate the database from old to new cluster.
  4. Modify the security_algorithm for the dauser.
    1. Open a Vsql prompt
    2. Run of the following command:
      • select * from password_auditor;
      • It should show the dauser using MD5 encryption instead of the SHA512 encryption required by FIPS.
      • Example:
    3. Run the following command to change it from MD5 to SHA512.
      • alter user dauser security_algorithm 'SHA512' identified by '<dapass>'; 
      • NOTE: Replace <dapass> with the dauser password. This sample shows the successful command run when the default 'dapass' password is used.
      • Sample output:
    4. Run of the following command:
      • select * from password_auditor;
      • It should now show the dauser using SHA512 encryption instead of MD5.
  5. Enable FIPS at the OS level on the new database cluster.

Attachments

Powered by Wolken Software