22.1 Enabling Sentinel Server to Run in FIPS 140-2 Mode

To enable the Sentinel Server to run in FIPS 140-2 mode:

  1. Log in to the Sentinel server.

  2. Switch to novell user:

    su novell

  3. Browse to the Sentinel bin directory.

  4. Run the convert_to_fips.sh script and follow the on-screen instructions.

    Add the path of the OpenSearch certificate when prompted <sentinel_installation_path>/opt/novell/sentinel/3rdparty/opensearch/config/certs/<certificate_name>.pem .

    Where <certificate_name> has following values:

    • root-ca

    • admin

    • node

    • client

    NOTE:For each external certificate prompted, add the above certificates one by one, by giving the complete path.

    For example:

    <sentinel_installation_path>/opt/novell/sentinel/3rdparty/opensearch/config/certs/root-ca.pem

    Enter a unique alias name for this certificate when prompted. Add all of the above certificates one by one similarly and provide a unique alias for each of them.

  5. (Conditional) If you are using the CRL feature, add the path of the client certificate <sentinel_installation_path>/etc/opt/novell/sentinel/config/ when it prompts for the external certificate. You can either use the default client certificate(.defaultRestClient.p12)or use your own customized certificate. For more information about creating a custom certificate, see Creating and Importing a Custom Certificate.

  6. (Conditional) If your environment uses multi-factor or strong authentication:

    1. Run the create_mfa_fips_keys.sh script and follow the on-screen instructions.

      NOTE:The script requires the password for the nss database.

    2. Provide the Sentinel client ID and Sentinel client secret. For more information about authentication methods, see Authentication Methods in the Sentinel Administration Guide.

      To retrieve the Sentinel client ID and Sentinel client secret, go to the following URL:

      https://Hostname:port/SentinelAuthServices/oauth/clients

      Where:

      • Hostname is the host name of the Sentinel server.

      • Port is the port Sentinel uses (typically 8443).

      The specified URL uses your current Sentinel session to retrieve the Sentinel client ID and Sentinel client secret.

  7. Restart the Sentinel server.

  8. Complete the FIPS 140-2 mode configuration by following the tasks mentioned in Section 23.0, Operating Sentinel in FIPS 140-2 Mode.