Configuring Hybrid Data Pipeline server for FIPS support
There are two ways to configure the Hybrid Data Pipeline server for FIPS support:
Through an installer during the initial Hybrid Data Pipeline server installation. By default, Hybrid Data Pipeline will be installed in a FIPS disabled mode. You need to explicitly opt for FIPS support on the relevant installation screen.
Using the script enable_fips.sh
Note: Before enabling FIPS, you must ensure that your hardware supports secure random, or you have a secure random daemon installed. For further details see Before enabling FIPS.
Note: We recommend a new, clean installation with FIPS enabled for production environments. With a new installation, users and datasources must be re-created. The script will not change the stored encryption keys which if generated by a non-FIPS install use the same encryption algorithm, but with the less secure random number generation.
Enable FIPS during installation
Before enabling FIPS, you must ensure that your hardware supports secure random, or you have a secure random daemon installed. To enable FIPS during installation, you must:
1. Run the installer, GUI or Console mode, and choose your desired options.
2. Choose Custom on the Install Type screen.
3. On the FIPS Configuration screen, check the Enable FIPS check-box.
Complete the remaining installation steps to install FIPS enabled Hybrid Data Pipeline server.
Enable FIPS after installation
Prerequisite: Before enabling FIPS, you must ensure that your hardware supports secure random, or you have a secure random daemon installed. To enable FIPS support after the installation:
1. Go to the installation directory, /Progress/DataDirect/Hybrid_Data_Pipeline/Hybrid_Server/ddcloud
2. Verify that the following two scripts exist for FIPS support:
disable_fips.sh
enable_fips.sh
3. Execute the enable_fips.sh script to enable FIPS support for the Hybrid Data Pipeline server. Note that running the script will force the Hybrid Data Pipeline Server to restart.
4. After the script has completed, verify that FIPS is enabled. To verify, you can look at the standard output of the enable_fips.sh script. The final line output in a successful execution will be ‘Finished setting security provider’ and the script will exit with a return code of 0. If it fails, the appropriate error(s) will be displayed in the console, and the script will exit with a return code of 1.
Additionally, ./enable_fips.sh force can be run. By default enable_fips.sh will not attempt to generate the existing .bks Bouncy Castle keystore and truststore if FIPS compatibility is already enabled. With the optional force argument it forces both .bks Bouncy Castle keystore and truststore to be regenerated from the default Sun .jks files. If it is in a multimode install you will need to run enable_fips.sh on a single node, then restart the other nodes. The change will be detected on startup by the other Hybrid Data Pipeline nodes.
Disable FIPS
To disable FIPS:
1. Go to the installation directory, /Progress/DataDirect/Hybrid_Data_Pipeline/Hybrid_Server/ddcloud
2. Execute the disable_fips.sh script to enable FIPS support for the Hybrid Data Pipeline server.
3. After the script has completed, verify that FIPS is disabled. To verify, you can look at the standard output of the enable_fips.sh script. The final line output in a successful execution will be ‘Finished setting security provider’ and the script will exit with a return code of 0. If it fails, the appropriate error(s) will be displayed in the console, and the script will exit with a return code of 1.
Note: Running the script will force the Hybrid Data Pipeline Server to restart.
Through an installer during the initial Hybrid Data Pipeline server installation. By default, Hybrid Data Pipeline will be installed in a FIPS disabled mode. You need to explicitly opt for FIPS support on the relevant installation screen.