SAM connector Not Working in FIPS mode

  • 7018187
  • 25-Oct-2016
  • 12-Jun-2017

Environment


NetIQ Sentinel 7.4 Agent Manager Connector

Situation

When Sentinel server is converted to run in the FIPS mode, the existing default certificate of SAM connector will be disabled and 
SAM Connector will get the Sentinel server certificate that is stored in the NSS keystore database.

In FIPS mode, all the components of the Sentinel server (Collector Manager, Correlation Engine, all the Connectors etc) will use the
only one certificate that is there in the NSS keystore database. The certificate that is stored in the NSS keystore database is 
webserver certificate.

Since webserver certificate does not contain the certificate extension (Subject Alternative Name) field, the Unix Agents will fail 
to communicate with the SAM Connector when the IP/Host used in Unix Agent and the Subject name of the webserver certificate differs.

If the webserver certificate subject name contain the host-name, then Unix Agent will be able to communicate with the Sentinel (SAM 
Connector) server only with the host-name.

Resolution


1. Stop the Sentinel service: 

rcsentinel stop


2. Generate a key pair with the alias webserver in a JKS format key store using the following command

       
keytool -genkey –dname <distinguished_name>  -alias  webserver -validity <validity_period_in_days> -storetype JKS –keystore <keystore_name> -storepass <keystore_password> -keypass <key_password> -keyalg RSA -ext san = <dns,ip>

Example:
  
keytool -genkey -dname "cn=sentinel-server.acme.com, o=acme" -alias webserver -validity 365 -storetype JKS -keystore sam_connector.jks -storepass password -keypass password -keyalg RSA -ext san=dns sentinel-server.acme.com,ip:1.2.3.4
 

 
3. Convert the key pair from JKS format to PKCS12 format
 
keytool -noprompt -importkeystore -srcstorepass <source_keystore_password> -deststorepass <destination_keystore_password> -srckeystore sam_connector.jks -srcalias webserver -destkeystore <destination_keystore_name> -deststoretype PKCS12 

Note: You must use the same password that you used in Step 2.

Example: 

keytool -noprompt -importkeystore -srcstorepass password –deststorepass password -srckeystore sam_connector.jks -srcalias webserver -destkeystore sam_connector.p12 -deststoretype PKCS12
 
4. Delete the webserver key pair from the Sentinel FIPS keystore database
 
certutil -F -n "webserver" -d <FIPS_keystore_database _path>

Example: 

certutil -F -n "webserver" -d /etc/opt/novell/sentinel/3rdparty/nss

 
 
5. Insert the key pair from the PKCS12 keystore (created in Step 3) into the Sentinel FIPS keystore database
 
pk12util -d <FIPS_keystore_database _path> -i <p12_keystore_name> -W <p12_keystore_password> -K <FIPS_keystore_database_password> -n webserver

Note: The argument to –W must be the same as the argument to –deststorepass in Step 3. 
The argument to –K is the current password for the Sentinel FIPS keystore database that you chose when you set up FIPS mode. 

Example: 

pk12util -d "/etc/opt/novell/sentinel/3rdparty/nss" -i sam_connector.p12 -W password -K Novell@123 -n webserver


Note: Ensure that the files under the /etc/opt/novell/sentinel/3rdparty/nss directory have the owner as novell:novell and have read permission to all the users.

To set ownership, execute the following command: chown –R novell:novell  "/etc/opt/novell/sentinel/3rdparty/nss"
To set read permissions for all users, execute the following command: chmod –R a+r  "/etc/opt/novell/sentinel/3rdparty/nss"


 
6. Start the Sentinel server service

rcsentinel start


Cause

Unix Agents will fail to communicate with the SAM Connector when the IP/Host used in Unix Agent and the Subject name of the webserver certificate differs.