Applying FIPS 140-2 Compliant Encryption Algorithm for PPM

PPM applied the enhanced encryption algorithm to comply with FIPS 140-2 (Federal Information Progressing Standards 140-2) in the following cases:

  • Logging on to PPM with Oracle database authentication
  • Creating user
  • Editing user profile
  • Configuring PPM database
  • Logging on to PPM with LDAP authentication
  • Importing LDAP users

To apply the FIPS 140-2 compliant encryption algorithm,

  1. Stop the PPM Server.
  2. Unzip the fs_home.jar file located in the <PPM_Home>/deploy/<version> directory.

  3. Copy the following three .jar files from the <fs_home>/utilities/fips directory to the <JAVA_Home>/jre/lib/ext directory:

    • cryptojce.jar
    • cryptojcommon.jar
    • jcmFIPS.jar
  4. Edit the java.security file located in the <JAVA_Home>/jre/lib/security directory:

    1. Add the following before the existing security providers:

      security.provider.1=com.rsa.jsafe.provider.JsafeJCE

    2. Change the sequence numbers of the providers to make sure that the numbers start with 1, followed by 2, 3, 4, and so on.
    3. Add the following two lines after the security provider list:

      • com.rsa.cryptoj.fips140initialmode=FIPS140_MODE
      • com.rsa.crypto.default.random=ECDRBG
    4. Comment out the line securerandom.source=file:/dev:/urandom by adding a number sign # before it.
  5. Run the ppm_fips_security_extension.sql script located in the PPM_Home/bin/db directory.

    Note: Back up the following DB tables before running this script:

    • KNTA_USERS
    • KNTA_PASSWORD_CHANGES
    • KNTA_USERS_INT
  6. Run the sh ./kFIPSMigrate.sh script located in the PPM_Home/bin directory.

    Note:  

    • As an administrator, you should have the execution privilege to run this script.
    • When running this script, you are required to enter the start user id and the end user id to decide how much data would be processed in a batch. You can get the user ids from the KNTA_USERS table.
  7. Run the sh ./kFIPSEncrypt.sh script located in the PPM_Home/bin directory to get the encrypted values for the passwords you set for DB and LDAP.

    Note:  

    • As an administrator, you should have the execution privilege to run this script.
    • If your system is not integrated with LDAP, you do not need to run the script for the encrypted value of the LDAP password.
  8. Configure the following three parameters in the server.conf file from the PPM_Home directory.

    • Set the com.kintana.core.server.FIPS_ENABLE parameter to true to enable the new encryption algorithm.
    • Set the com.kintana.core.server.DB_PASSWORD parameter to the encrypted value you get in Step 7 to reset the DB password.
    • Set the com.kintana.core.server.LDAP_PASSWORD parameter to the encrypted value you get in Step 7 to reset the LDAP password.

    Note:  

    • You may have to modify these parameter values directly in the server.conf file. We recommend that you do not run ppm_config.exe (on Windows) or kConfig.sh (on Unix) to modify these parameters.
    • If your system is not integrated with LDAP, you do not need to reset the LDAP password.
  9. Run sh ./kUpdateHtml.sh script located in the PPM_Home/bin directory to apply your changes on the three parameters.
  10. Start the PPM Server.
  11. (Optional) If your system is integrated with LDAP, and you want to import data from LDAP and set default password for the Import Users report or the Run PPM Organization Unit Interface report, you need to add an additional command for either of the reports.

    To do so,

    1. Log on to PPM.
    2. From the menu bar, select Open > Administration > Open Workbench.

      The PPM Workbench opens.

    3. From the shortcut bar, select Configuration > Report Types.

      The Report Type Workbench opens.

    4. Click List, and then select the desired report type.

    5. Open the report type either by double-clicking it or clicking Open.

      The Report Type: <Report> window opens.

    6. Click New Cmd under the Commands tab.

      The New Command window opens.

    7. Name the new command as you want.
    8. Type the following in the Steps field:

      ksc_run_java com.kintana.core.server.tools.FIPSPasswordInterfaceTable "[TEMP_GROUP_ID]"

      Note: TEMP_GROUP_ID is the name for the temp token by default. If you have changed the token name, replace TEMP_GROUP_ID with the name you used for the token.

    9. Click Add.

      You are back to the Report Type: <Report> window.

    10. Adjust the sequence of the added command by using the up or down button, making sure that the added command is under the Encrypt Password command.
    11. Click OK.