Apply FIPS 140-2 compliant encryption algorithm for PPM

This topic describes how to apply FIPS 140-2 compliant encryption algorithm for PPM.

Overview

PPM applies the Bouncy Castle encryption algorithm to comply with FIPS 140-2 (Federal Information Progressing Standards 140-2) in the following cases:

  • Logging on to PPM with Oracle database authentication
  • Creating user
  • Editing user profile
  • Configuring PPM database
  • Logging on to PPM with LDAP authentication
  • Importing LDAP users

Back to top

Apply FIPS 140-2 compliant encryption algorithm

Follow the steps below to apply FIPS 140-2 compliant encryption algorithm for PPM.

Note: If your PPM is upgraded from 10.0.3 or an earlier version, and you have applied the FIPS 140-2 compliant encryption algorithm before the upgrade, you need to reconfigure the algorithm after the upgrade.

To apply the FIPS 140-2 compliant encryption algorithm:

  1. Stop the PPM Server.

  2. (Applicable to versions 2023-23.3 only) Copy the following .jar file(s) from the <PPM_Home>/utilities/fips directory to the <JAVA_Home>/jre/lib/ext directory:

    • bc-fips-1.0.2.3.jar

  3. Open the java.security file from the respective directories:

    • For JDK 8, go to <JAVA_Home>/jre/lib/security.
    • For OpenJDK 11, go to <JAVA_Home>/conf/security

  4. Edit the java.security file as follows:

    1. Add the following before the existing security providers:

      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

    2. Change the sequence numbers of the providers to make sure that the numbers start with 1, followed by 2, 3, 4, and so on.

    3. Comment out the following line by adding a number sign # before it:

      securerandom.strongAlgorithms=NativePRNGBlocking:SUN

    4. Add the following line: securerandom.strongAlgorithms=DEFAULT:BCFIPS

  5. Run the ppm_fips_security_extension.sql script located in the PPM_Home/bin/db directory.

    Tip: Back up the following DB tables before running this script:

    • KNTA_USERS
    • KNTA_PASSWORD_CHANGES
    • KNTA_USERS_INT

  6. Open the PPM_Home/server.conf file and set the com.kintana.core.server.FIPS_ENABLE parameter to true to enable the new encryption algorithm.

  7. Run the sh ./kFIPSMigrate.sh script located in the PPM_Home/bin directory.

    Note:

    • To run this script, you must have the execution privilege as an administrator.
    • When running this script, you are required to enter the start user id and the end user id to decide how much data would be processed in a batch. You can get the user ids from the KNTA_USERS table.

  8. Run the sh ./kFIPSEncrypt.sh script located in the PPM_Home/bin directory to get the encrypted values for the passwords you set for DB and LDAP.

    Note:

    • To run this script, you must have the execution privilege as an administrator.
    • If your system is not integrated with LDAP, you do not need to run the script for the encrypted value of the LDAP password.

    Tip: The execution of the sh ./kFIPSMigrate.sh and sh ./kFIPSEncrypt.sh scripts on Centos and other systems may result in extended delays. To resolve this issue, install haveged using the appropriate commands for your system:

    • On RHEL/CentOS

      yum install haveged

      systemctl enable haveged

      systemctl start haveged

    • On Ubuntu/Debian

      yum install haveged

      systemctl enable haveged

      systemctl start haveged

  9. In the PPM_Home/server.conf file, configure the following parameters:

    • Set the com.kintana.core.server.DB_PASSWORD parameter to the encrypted value you get in Step 8 to reset the DB password.
    • Set the com.kintana.core.server.LDAP_PASSWORD parameter to the encrypted value you get in Step 8 to reset the LDAP password.

    Note:  

    • Modify these parameter values directly in the server.conf file. Do not run ppm_config.exe (on Windows) to modify these parameters.
    • If your system is not integrated with LDAP, you do not need to reset the LDAP password.
  10. In the PPM_Home/bin directory, run the sh ./kUpdateHtml.sh script to apply your changes on these parameters.
  11. Start the PPM Server.

  12. (Optional) If your system is integrated with LDAP, and you want to import data from LDAP and set default password for the Import Users report or the Run PPM Organization Unit Interface report, you need to add an additional command for either of the reports.

    To add an additional command for either of the reports:

    1. Log on to PPM.

    2. From the menu bar, select Open > Administration > Open Workbench.

    3. From the PPM workbench shortcut bar, select Configuration > Report Types.

    4. Click List, and then open the target report type.

    5. In the Report Type: <Report> window, click New Cmd under the Commands tab.

    6. In the New Command window, give the command a name.

    7. In the Steps field, enter the following:

      ksc_run_java com.kintana.core.server.tools.FIPSPasswordInterfaceTable "[TEMP_GROUP_ID]"

      Where TEMP_GROUP_ID is the name of the temp token by default. If you have changed the token name, replace TEMP_GROUP_ID with the name you used for the token.

    8. Click Add.

    9. Adjust the sequence of the added command by using the up or down button. Make sure that the added command is under the Encrypt Password command.
    10. Click OK.

Back to top