Configure FIPS Support
NetWitness ships with FIPS-validated 140-2 Cryptographic Modules that support all cryptographic operations within NetWitness. NetWitness leverages two modules that support a level three design assurance:
- RSA BSAFE Crypto-J
-
RSA OwB
Both modules have been certified with an operational environment comparable to the standard NetWitness configuration.
By default, the cryptographic modules enforce the usage of FIPS-certified cipher suites wherever possible. For exceptions, refer to the information below and to the release notes. For additional information about the FIPS modules, see https://csrc.nist.gov/publications/detail/fips/140/2/final.
The RSA BSAFE Crypto-J FIPS Certificate number is 3172, and OwB uses the CCME FIPS Module in FIPS-approved mode.
Note: For a fresh installation of NetWitness 12.5, by default, all core services will be FIPS enforced except Log Collector and Log Decoder. FIPS cannot be disabled on any services except for Log Collector, Log Decoder and Network Decoder.
Note: For upgrades to 12.5 from previous versions, the following conditions apply for the Log Collector, Log Decoder and Decoder services:
- Log Collector is not FIPS enabled after upgrading to the latest version, even if FIPS was enabled in a previous version. You must enable FIPS support after upgrading to the latest version. See the instructions in FIPS support for Log Collectors.
- If FIPS was enabled for the Log Decoder and Network Decoder services in a prevous version, FIPS will also be enabled in the latest version. However, if Log Decoder and Network Decoder were NOT FIPS enabled in a previous version, they will not be enabled and you can manually enable FIPS for these services if required. See the instructions in FIPS support for Log Decoders and Decoders.
FIPS support for Log CollectorsFIPS support for Log Collectors
To enable FIPS for Log Collectors:
- Stop the Log Collector service.
- Open the /etc/systemd/system/nwlogcollector.service.d/nwlogcollector-opts-managed.conf file.
-
Change the value of the following variable to off as described here:
Environment="OWB_ALLOW_NON_FIPS=on"
to
Environment="OWB_ALLOW_NON_FIPS=off"
-
Reload the system daemon by running the following command:
systemctl daemon-reload
- Restart the Log Collector service.
-
Set the FIPS mode for the Log Collector service in the UI:
FIPS support for Log Decoders and DecodersFIPS support for Log Decoders and Decoders
- Go to (Admin) > Services and select a Log Decoder or Network Decoder service.
-
Select View > Config, and in System Configuration, enable SSL FIPS Mode by selecting the check box in the Config Value column.
- Restart the service.
- Click Apply.