This guide is designed to configure your RayVentory server in a FIPS Environment.
Original Microsoft Summary
The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.
Source: https://support.microsoft.com/en-us/kb/811833
The Administration Server will not work correctly as long FIPS is enabled . Nevertheless FIPS is not recommend anymore.
Source: http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx
Before you proceed
This guide assumes:
- The RayManageSoft Administration Server is already setup and preconfigured.
- You are familiar to the local and/or global security policy management for Microsoft Windows.
The RayVentory release notes and full-size documentation are available in addition to this document.
I. Purpose
As long as FIPS is enabled the RayManageSoft Administration Server Application will not start.
The following error occur on start of the console:
|
Problem signature: Problem Event Name: CLR20r3
|
Close the problem message and disable FIPS.
II. Solution (Disable FIPS)
To disable FIPS you need to edit the system security policy. This can either be done global or local; Based on the membership and Policy of an Active Directory.
Global: For modifying a global policy use tools like Group Policy Management Console (GPMC), Group Policy Editor (GPEDIT) and Resultant Set of Policy (RSoP). Consider contacting your Active Directory Administrator.
Local: For modify the local security you can go with the Security Policy Editor (Secpol).
In both way you will edit the same security policy, shown here as an example of a local policy:
Path global: | Computer Configuration\Windows Settings\Local Policies\Security Options |
Path local: | Local Policies\Security Options |
Policy: | System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing |
Setting: | Disabled |
Close the Policy Editor and start the RayManageSoft Console. In case of an Active Directory Policy consider to enforce an update (e.g. gpupdate /force).
Comments