FIPS compatibility
This section provides information on specific operating systems to enable FIPS support.
RHEL/OL 8 or RHEL/OL 9 Java Copied
While the rest of the Opsview system will correctly work on a FIPS-enabled server running Red Hat Enterprise Linux 8 or 9 (RHEL 8 or 9), Oracle Linux 8 or 9 (OL 8 or 9), the Opsview Reporting Module requires a Java Runtime configured to not run in FIPS mode due to the incompatibility with FIPS standards that the keystore algorithm (JCEKS) Jasperserver uses.
There are two workarounds to this issue:
- Install a new JRE for Opsview to run in a non-FIPS compliant mode. This will allow any other Java applications on the system to continue running in FIPS mode while allowing the Reporting Module to run.
- Configure the currently installed JRE on the Orchestrator machine to run in a non-FIPS compliant mode. This will have the side effect of allowing non-FIPS compliant Java applications on the system.
Note
If there is no Java runtime located on the orchestrator machine, one of the workarounds must be performed so that the Reporting Module has a valid Java installation to use.
Install an Opsview specific Java (Recommended) Copied
These instructions will need to be modified if a later version of the JRE is released.
-
Get the URL of the latest 1.8 OpenJDK release from Red Hat.
-
Download the OpenJDK tarball from the above site and transfer it to the Orchestrator host.
scp java-1.8.0-openjdk-<version>.portable.jre.el.x86_64.tar.xz orchestrator-hostname:/tmp/
-
Create the Opsview Java directory.
mkdir /opt/opsview/java
-
Extract the OpenJDK tarball in the newly created Java directory.
tar -xf /tmp/java-1.8.0-openjdk-<version>.portable.jre.el.x86_64.tar.xz -C /opt/opsview/java --strip 1
-
Set
security.useSystemPropertiesFile
to false in the new Java installationjava.security
file.sed -i.bk "s/^security.useSystemPropertiesFile=true/security.useSystemPropertiesFile=false/g" /opt/opsview/java/jre/lib/security/java.security
-
Run the
check-deploy
playbook to ensure that Java is now correctly configured. This playbook will additionally set up Python on all systems used.
Note
This Java installation is currently not managed by Opsview in any way. This means that any security updates will have to be manually installed by rerunning the manual steps listed above.
Configure the System Java to run in a FIPS non-compliant mode Copied
Follow the instructions below to run in a FIPS non-compliant mode:
-
Run the
check-deploy
playbook in Opsview Deploy. This will detect the Java runtime that the Jasper server will choose to use and raise an alarm if it is not configured as needed. This playbook will additionally set up Python on all systems used.cd /opt/opsview/deploy/ ./bin/opsview-deploy ./lib/playbooks/check-deploy.yml
Sample output:
.... REQUIRED ACTION RECAP ******************************************************************** [HIGH -> rm-op-44104-rhel8-2-orch] Security flag is set to 'true' on system Java | A system Java Runtime (JRE) installation has been located at | /usr/lib/jvm/jre-1.8.0-openjdk, but the security flag 'security.useSystemPropertiesFile' | is currently set to 'true'. | | In order to use the Opsview Reporting module on RedHat 8 with FIPS mode enabled, | this flag must either be set to false or an alternative Java installation | installed for Opsview's usage. | | For more information and instructions, see: | https://knowledge.opsview.com/docs/
-
Edit the configuration file in the specified Java directory. The following
sed
command creates a backup namedjava.security.bk
.# In this example, the Java directory is '/usr/lib/jvm/jre-1.8.0-openjdk' as specified by the Deploy in the `REQUIRED ACTION RECAP` output cd /usr/lib/jvm/jre-1.8.0-openjdk/ sed -i.bk "s/^security.useSystemPropertiesFile=true/security.useSystemPropertiesFile=false/g" lib/security/java.security
-
Rerun the
check_deploy
playbook following the first step above to ensure that Java is now correctly configured.
Infrastructure Agent ciphers Copied
The default anonymous ciphers configured on the Orchestrator and used to communicate with Infrastructure Agent on
monitored devices by default will use ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!MD5:!DSS
which meet the
tighter security standards enforced by FIPS (see Strong crypto defaults in RHEL 8 and deprecation
of weak crypto algorithms at Red Hat Customer Portal).
Check that this is set in the NRPE_CIPHERS global variable (Menu > Configuration > Advanced > Variables).