Configure FIPS SupportConfigure FIPS Support

NetWitness 11.x ships with FIPS-validated 140-2 Cryptographic Modules that support all cryptographic operations within NetWitness. NetWitness leverages two modules that support a level three design assurance:

  • RSA BSAFE Crypto-J
  • RSA OwB

Both modules have been certified with an operational environment comparable to the standard NetWitness configuration.

By default, the cryptographic modules enforce the usage of FIPS-certified cipher suites wherever possible. For exceptions, refer to the information below and to the release notes. For additional information about the FIPS modules, see https://csrc.nist.gov/publications/detail/fips/140/2/final.

The RSA BSAFE Crypto-J FIPS Certificate number is 3172, and OwB uses the CCME FIPS Module in FIPS-approved mode.

In 11.x, FIPS is enabled on all services except Log Collector. This includes Log Decoder and Decoder if they were FIPS-enabled in 10.6.x or any previous version. FIPS cannot be disabled on any services except for Log Collector, Log Decoder and Decoder.

Note: For a fresh installation of 11.x, by default, all core services will be FIPS enforced except Log Collector and Log Decoder. FIPS cannot be disabled on any services except for Log Collector, Log Decoder and Network Decoder.

Note: For upgrades to 11.x from previous versions, the following conditions apply for the Log Collector, Log Decoder and Decoder services:
- Log Collector is not FIPS enabled after upgrading to 11.x, even if FIPS was enabled in a previous version. You must enable FIPS support after upgrading to 11.x. See the instructions in FIPS support for Log Collectors.
- If FIPS was enabled for the Log Decoder and Network Decoder services in a prevous version, FIPS will also be enabled in 11.x. However, if Log Decoder and Network Decoder were NOT FIPS enabled in a previous version, they will not be enabled in 11.x, and you can manually enable FIPS for these services if required. See the instructions in FIPS support for Log Decoders and Decoders.

FIPS support for Log Collectors

To enable FIPS for Log Collectors:

  1. Stop the Log Collector service.
  2. Open the /etc/systemd/system/nwlogcollector.service.d/nwlogcollector-opts-managed.conf file.
  3. Change the value of the following variable to off as described here:

    Environment="OWB_ALLOW_NON_FIPS=on"

    to

    Environment="OWB_ALLOW_NON_FIPS=off"

  4. Reload the system daemon by running the following command:

    systemctl daemon-reload

  5. Restart the Log Collector service.
  6. Set the FIPS mode for the Log Collector service in the UI:

    Note: This step is not required if you are upgrading from 10.6.x to 11.x and FIPS was enabled in 10.6.x.

    1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
    2. Select the Log Collector service and go to View > Config.
    3. In SSL FIPS Mode, select the checkbox under Config Value and click Apply.

FIPS support for Log Decoders and Decoders

To enable FIPS for Log Decoders and Decoders that did not have FIPS enabled in 10.6.x:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services and select a Log Decoder or Network Decoder service.
  2. Select View > Config, and in System Configuration, enable SSL FIPS Mode by selecting the check box in the Config Value column.

     

    121_fips-enable-decoders_1122.png
  3. Restart the service.
  4. Click Apply.