1 / 14

IBM Tivoli Provisioning Manager 7.1.1 FIPS 140-2 Enablement

IBM Tivoli Provisioning Manager 7.1.1 FIPS 140-2 Enablement. Topics. Feature Objective (Problems Solved) Feature Overview Common Use Cases. TPM 7.1.1 FIPS 140-2 Enablement Objective.

macy-carney
Download Presentation

IBM Tivoli Provisioning Manager 7.1.1 FIPS 140-2 Enablement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IBM Tivoli Provisioning Manager 7.1.1FIPS 140-2 Enablement

  2. Topics • Feature Objective (Problems Solved) • Feature Overview • Common Use Cases

  3. TPM 7.1.1 FIPS 140-2 Enablement Objective • Enable TPM to be compliant to the security standards defined by US Federal Information Processing Standard 140-2 (FIPS 140-2).

  4. Topics • Feature Objective (Problems Solved) • Feature Overview • Common Use Cases

  5. JVM 1.5 (FIPS140-2) Crypto Module FIPS compliant encrypted credentials Service Access Point (SAP) Deployment Engine Endpoint with agent TCA FIPS compliant encrypted credentials RXA SSH Windows: Cygwin Agent Shell Server FIPS compliant SSL Non FIPS Compliant SSH (OpenSSH) FIPS Compliant SSH Non FIPS Compliant SMB CAS Agentless Endpoint FIPS compliant SSL FIPS Compliant SSH Windows DMS FIPS compliant SSL Unix CDS MC FIPS Enablement in TPM 7.1.1: Cryptographic Module • The cryptographic module is supported through the base FIPS compliant base JVM 1.5 • Installed by: TPM • Enablement: Automatically by the TPM installer when a FIPS-based install is selected

  6. JVM 1.5 (FIPS140-2) Crypto Module FIPS compliant encrypted credentials Service Access Point (SAP) Deployment Engine Endpoint with agent TCA FIPS compliant encrypted credentials RXA SSH Windows: Cygwin Agent Shell Server FIPS compliant SSL Non FIPS Compliant SSH (OpenSSH) FIPS Compliant SSH Non FIPS Compliant SMB CAS Agentless Endpoint FIPS compliant SSL FIPS Compliant SSH Windows DMS FIPS compliant SSL Unix CDS MC FIPS Enablement in TPM 7.1.1: SSL • SSL support is provided by the Common Agent Services and associated components • Installed by: TPM (CAS) • Enablement: Automatically by the TPM installer when a FIPS-based install is selected

  7. JVM 1.5 (FIPS140-2) Crypto Module FIPS compliant encrypted credentials Service Access Point (SAP) Deployment Engine Endpoint with agent TCA FIPS compliant encrypted credentials RXA SSH Windows: Cygwin Agent Shell Server FIPS compliant SSL Non FIPS Compliant SSH (OpenSSH) FIPS Compliant SSH Non FIPS Compliant SMB CAS Agentless Endpoint FIPS compliant SSL FIPS Compliant SSH Windows DMS FIPS compliant SSL Unix CDS MC FIPS Enablement in TPM 7.1.1: SSH • SSH support is provided by either Cygwin (Windows) or openssh (UNIX) • Installed by: Customer • Enablement: NOT done by the TPM installer • SSH code altered and compiled by customer • http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf

  8. JVM 1.5 (FIPS140-2) Crypto Module FIPS compliant encrypted credentials Service Access Point (SAP) Deployment Engine Endpoint with agent TCA FIPS compliant encrypted credentials RXA SSH Windows: Cygwin Agent Shell Server FIPS compliant SSL Non FIPS Compliant SSH (OpenSSH) FIPS Compliant SSH Non FIPS Compliant SMB CAS Agentless Endpoint FIPS compliant SSL FIPS Compliant SSH Windows DMS FIPS compliant SSL Unix CDS MC FIPS Enablement in TPM 7.1.1: Browser • Client/browser enablement to use TLS instead of SSL • Installed by: Customer • Enablement: NOT done by the TPM installer • Client enablement required

  9. Overview: Limitations • TPM 7.1.1 FIPS enablement requires a new install with no migration support from a prior server. • The SMB provided by RXA is not FIPS compliant • For the RXA with SMB protocol, it will be used for the discovery operations for Windows. In other words, RXA SMB will still be available in TPM environment even though FIPS mode is enabled. • TPMfOSD will not be FIPS compliant in TPM 7.1.1. • ITM agent and ITM server SSL communication will not be FIPS compliant in TPM 7.1.1.

  10. Topics • Feature Objective (Problems Solved) • Feature Overview • Common Use Cases

  11. TPM 7.1.1 FIPS 140-2 Enablement Use Cases • Once FIPS is enabled, all relevant cryptography and communications will be FIPS 140-2 compliant. From a use case point of view, this is transparent.

  12. BACK UPS

  13. FIPS 140-2 Background • The US Federal Information Processing Standard 140-2 (FIPS 140-2) is a cryptographic function validation program defining security standards for cryptographic modules used in IT software. SWG offerings with cryptographic function must meet this certification and compliance requirement so that they can be marketed to the federal sector, which has been identified by IBM as a hyper-growth market space. To achieve this, SWG requires its offerings with cryptographic function to use specific SWG cryptographic modules which have been FIPS 140-2 certified. • IBM provides two main strategic FIPS 140 cryptogrpahic software providers to be be used by IBM products, namely Java Cryptographic Extension (IBMJCEFIPS) and IBM Crypto for C (ICC). The providers are certified with FIPS 140-2 by NIST: • http://csrc.nist.gov/cryptval/140-1/1401val2004.htm.

  14. Overview: Official Customer Support Statement • TPM 7.1.1 FIPS compliance support consists of: • Centralized cryptographic module using FIPS 140-2 compliant providers • FIPS 140-2 cryptographic services for credentials in Service Access Point • FIPS compliant SSL from Agent Shell Server to TCA • FIPS compliant SSL from TCA to CAS, DMS, and DCS MC • FIPS compliant SSH between RXA and Unix • Limitation: the SMB provided by RXA is not FIPS compliant • Limitation: the OpenSSH comes with Cygwin in case of Windows is not FIPS compliant • For the RXA with SMB protocol, it will be used for the discovery operations for Windows. In other words, RXA SMB will still be available in TPM environment even FIPS mode is enabled. • For the OpenSSH that shipped with the Cygwin, customer requires to install and configure another FIPS compliant SSH product instead of using OpenSSH with Cygwin. • Components excluded from FIPS compliance: • TPMfOSD will not be FIPS compliant in TPM 7.1.1. • ITM agent and ITM server SSL communication • TPM 7.1.1 FIPS compliance mode is supported only via fresh installation. No FIPS migration from 5.1.1.2 or TPM 7.1 to TPM 7.1.1. Only non-FIPS mode is supported for migration. In addition, FIPS configuration is perform as part of the TPM 7.1.1 installation; it will not be performed as a post-installation step.

More Related