This section provides information about configuring various Sentinel plug-ins to run in FIPS 140-2 mode.
NOTE:These instructions are provided assuming that you have installed Sentinel at the /opt/novell/sentinel directory.
In case, the installation is at a custom path, for example <sentinel_installation_path>, you can navigate to the corresponding directory as <sentinel_installation_path>/opt/novell/sentinel. Run all the commands as novell user.
Follow the below procedure only if you have selected the Encrypted (HTTPS) option when configuring the networking settings of the Agent Manager Event Source Server.
To configure the Agent Manager Connector to run in FIPS 140-2 mode:
Add or edit the Agent Manager Event Source Server. Proceed through the configuration screens until the Security window is displayed. For more information, see the Agent Manager Connector Guide.
Select one of the options from the Client Authentication Type field. The client authentication type determines how strictly the SSL Agent Manager Event Source Server verifies the identity of Agent Manager Event Sources that are attempting to send data.
Open: Allows all the SSL connections coming from the Agent Manager agents. Does not perform any client certificate validation or authentication.
Strict: Validates the certificate to be a valid X.509 certificate and also checks that the client certificate is trusted by the Event Source Server. New sources will need to be explicitly added to Sentinel (this prevents rogue sources from sending unauthorized data).
For the Strict option, you must import the certificate of each new Agent Manager client into the Sentinel FIPS keystore. When Sentinel is running in FIPS 140-2 mode, you cannot import the client certificate using the Event Source Management (ESM) interface.
For more information about importing the certificate, see Importing Certificates into FIPS Keystore Database.
NOTE:In FIPS 140-2 mode, the Agent Manager Event Source Server uses the Sentinel server key pair; importing the server key pair is not required.
If server authentication is enabled in the agents, the agents must additionally be configured to trust the Sentinel server or the remote Collector Manager certificate depending on where the Connector is deployed.
Sentinel server certificate location: /etc/opt/novell/sentinel/config/sentinel.cer
Remote Collector Manager certificate location: /etc/opt/novell/sentinel/config/rcm.cer
NOTE:When using custom certificates that are digitally signed by a certificate authority (CA), the Agent Manager agent must trust the appropriate certificate file.
Follow the below procedure only if you have selected the SSL option when configuring the database connection.
To configure the Database Connector to run in FIPS 140-2 mode:
Before configuring the Connector, download the certificate from the Database server and save it as database.cert file into the /etc/opt/novell/sentinel/config directory of the Sentinel server.
For more information, refer to the respective database documentation.
Import the certificate into the Sentinel FIPS keystore.
For more information about importing the certificate, see Importing Certificates into FIPS Keystore Database.
Proceed with configuring the Connector.
Follow the below procedure only if you have selected Encrypted (HTTPS) option when configuring the networking settings of the Sentinel Link Event Source Server.
To configure the Sentinel Link Connector to run in FIPS 140-2 mode:
Add or edit the Sentinel Link Event Source Server. Proceed through the configuration screens until the Security window is displayed. For more information, see the Sentinel Link Connector Guide.
Select one of the options from the Client Authentication Type field. The client authentication type determines how strictly the SSL Sentinel Link Event Source Server verifies the identity of Sentinel Link Event Sources (Sentinel Link Integrators) that are attempting to send data.
Open: Allows all the SSL connections coming from the clients (Sentinel Link Integrators). Does not perform any Integrator certificate validation or authentication.
Strict: Validates the Integrator certificate to be a valid X.509 certificate and also checks that the Integrator certificate is trusted by the Event Source Server. For more information, refer to the respective database documentation.
For the Strict option:
If the Sentinel Link Integrator is in FIPS 140-2 mode, you must copy the /etc/opt/novell/sentinel/config/sentinel.cer file from the sender Sentinel machine to the receiver Sentinel machine. Import this certificate into the receiver Sentinel FIPS keystore.
NOTE:When using custom certificates that are digitally signed by a certificate authority (CA), you must import the appropriate custom certificate file.
If Sentinel Link Integrator is in non-FIPS mode, you must import the custom Integrator certificate into the receiver Sentinel FIPS keystore.
NOTE:If the sender is Sentinel Log Manager (in non-FIPS mode) and the receiver is Sentinel in FIPS 140-2 mode, the server certificate to be imported on the sender is the /etc/opt/novell/sentinel/config/sentinel.cer file from the receiver Sentinel machine.
When Sentinel is running in FIPS 140-2 mode, you cannot import the client certificate using the Event Source Management (ESM) interface. For more information about importing the certificate, see Importing Certificates into FIPS Keystore Database.
NOTE:In FIPS 140-2 mode, the Sentinel Link Event Source server uses the Sentinel server key pair. Importing the server key pair is not required.
Follow the below procedure only if you have selected the SSL protocol when configuring the network settings of the Syslog Event Source Server.
To configure the Syslog Connector to run in FIPS 140-2 mode:
Add or edit the Syslog Event Source Server. Proceed through the configuration screens until the Networking window is displayed. For more information, see the Syslog Connector Guide.
Click Settings.
Select one of the options from the Client Authentication Type field. The client authentication type determines how strictly the SSL Syslog Event Source Server verifies the identity of Syslog Event Sources that are attempting to send data.
Open: Allows all the SSL connections coming from the clients (event sources). Does not perform any client certificate validation or authentication.
Strict: Validates the certificate to be a valid X.509 certificate and also checks that the client certificate is trusted by the Event Source Server. New sources will have to be explicitly added to Sentinel (this prevents rogue sources from sending data to Sentinel).
For the Strict option, you must import the certificate of the syslog client into the Sentinel FIPS keystore.
When Sentinel is running in FIPS 140-2 mode, you cannot import the client certificate using the Event Source Management (ESM) interface.
For more information about importing the certificate, see Importing Certificates into FIPS Keystore Database.
NOTE:In FIPS 140-2 mode, the Sentinel Link Event Source server uses the Sentinel server key pair. Importing the server key pair is not required.
If server authentication is enabled in the syslog client, the client must trust the Sentinel server certificate or the remote Collector Manager certificate depending on where the Connector is deployed.
The Sentinel server certificate file is in the /etc/opt/novell/sentinel/config/sentinel.cer location.
The Remote Collector Manger certificate file is in /etc/opt/novell/sentinel/config/rcm.cer location.
NOTE:When using custom certificates that are digitally signed by a certificate authority (CA), the client must trust the appropriate certificate file.
To configure the Windows Event (WMI) Connector to run in FIPS 140-2 mode:
Add or edit the Windows Event Connector. Proceed through the configuration screens until the Security window is displayed. For more information, see the Windows Event (WMI) Connector Guide.
Click Settings.
Select one of the options from the Client Authentication Type field. The client authentication type determines how strictly the Windows Event Connector verifies the identity of the client Windows Event Collection Services (WECS) that are attempting to send data.
Open: Allows all the SSL connections coming from the client WECS. Does not perform any client certificate validation or authentication.
Strict: Validates the certificate to be a valid X.509 certificate and also checks that the client WECS certificate is signed by a CA. New sources will need to be explicitly added (this prevents rogue sources from sending data to Sentinel).
For the Strict option, you must import the certificate of the client WECS into the Sentinel FIPS keystore. When Sentinel is running in FIPS 140-2 mode, you cannot import the client certificate using the Event Source Management (ESM) interface.
For more information about importing the certificate, see Importing Certificates into FIPS Keystore Database.
NOTE:In FIPS 140-2 mode, the Windows Event Source Server uses the Sentinel server key pair. Importing the server key pair is not required.
If server authentication is enabled in the Windows client, the client must trust the Sentinel server certificate or the remote Collector Manager certificate depending on where the Connector is deployed.
The Sentinel server certificate file is in the /etc/opt/novell/sentinel/config/sentinel.cer location.
The remote Collector Manager certificate file is in the /etc/opt/novell/sentinel/config/rcm.cer location.
NOTE:When using custom certificates that are digitally signed by a certificate authority (CA), the client must trust the appropriate certificate file.
If you want to automatically synchronize the event sources or populate the list of event sources using an Active Directory connection, you must import the Active Directory server certificate into the Sentinel FIPS keystore.
For more information about importing the certificate, see Importing Certificates into FIPS Keystore Database.
Follow the below procedure only if you have selected the Encrypted (HTTPS) option when configuring the network settings of the Sentinel Link Integrator.
To configure the Sentinel Link Integrator to run in FIPS 140-2 mode:
When Sentinel Link Integrator is in FIPS 140-2 mode, server authentication is mandatory. Before configuring the Integrator instance, import the Sentinel Link Server certificate into the Sentinel FIPS keystore:
If Sentinel Link Connector is in FIPS 140-2 mode:
If the Connector is deployed in the Sentinel server, you must copy the /etc/opt/novell/sentinel/config/sentinel.cer file from the receiver Sentinel machine to the sender Sentinel machine.
If the Connector is deployed in a remote Collector Manager, you must copy the /etc/opt/novell/sentinel/config/rcm.cer file from the receiver remote Collector Manager machine to the receiver Sentinel machine.
Import this certificate into the sender Sentinel FIPS keystore.
NOTE:When using custom certificates that are digitally signed by a certificate authority (CA), you must import the appropriate custom certificate file.
If Sentinel Link Connector is in non-FIPS mode:
Import the custom Sentinel Link Server certificate into the sender Sentinel FIPS keystore.
NOTE:When the Sentinel Link integrator is in FIPS 140-2 mode and the Sentinel Link Connector is in non-FIPS mode, use the custom server key pair on the connector. Do not use the internal server key pair.
For more information about importing the certificate, see Importing Certificates into FIPS Keystore Database.
Proceed with configuring the Integrator instance.
NOTE:In FIPS 140-2 mode, the Sentinel Link Integrator uses the Sentinel server key pair. Importing the Integrator key pair is not required.
To configure the LDAP Integrator to run in FIPS 140-2 mode:
Before configuring the Integrator instance, download the certificate from the LDAP server and save it as ldap.cert file into the /etc/opt/novell/sentinel/config directory of the Sentinel server.
For example, use
openssl s_client -connect <LDAP server IP>:636
and then copy the text returned (between but not including the BEGIN and END lines) into a file.
Import the certificate into the Sentinel FIPS keystore.
For more information about importing the certificate, see Importing Certificates into FIPS Keystore Database.
Proceed with configuring the Integrator instance.
The SMTP Integrator supports FIPS 140-2 from version 2011.1r2 and later. No configuration changes are required.
Perform the following procedure only if you have selected the Encrypted (SSL) option when configuring the network settings of the Syslog Integrator.
To configure the Syslog Integrator to run in FIPS 140-2 mode:
When Syslog Integrator is in FIPS 140-2 mode, server authentication is mandatory. Before configuring the Integrator instance, import the Syslog Server certificate into the Sentinel FIPS keystore:
If the Syslog Connector is in FIPS 140-2 mode: If the Connector is deployed in the Sentinel server, you must copy the /etc/opt/novell/sentinel/config/sentinel.cer file from the receiver Sentinel server to the sender Sentinel server.
If the Connector is deployed in a remote Collector Manager, you must copy the /etc/opt/novell/sentinel/config/rcm.cer file from the receiver remote Collector Manager computer to the receiver Sentinel computer.
Import this certificate into the sender Sentinel FIPS keystore.
NOTE:When using custom certificates that are digitally signed by a certificate authority (CA), you must import the appropriate custom certificate file.
If Syslog Connector is in non-FIPS mode: You must import the custom Syslog Server certificate into the sender Sentinel FIPS keystore.
NOTE:When the Syslog Integrator is in FIPS 140-2 mode and the Syslog Connector is in non-FIPS mode, use the custom server key pair on the connector. Do not use the internal server key pair.
To import certificates to the FIPS Keystore Database:
Copy the certificate file to any temporary location on the Sentinel server or remote Collector Manager.
Go to the /opt/novell/sentinel/bin directory.
Run the following command to import the certificate into the FIPS keystore database, and then follow the on-screen instructions:
./convert_to_fips.sh -i <certificate file path>
Enter yes or y when prompted to restart the Sentinel server or remote Collector Manager.
Proceed with configuring the Integrator instance.
NOTE:In FIPS 140-2 mode, the Syslog Integrator uses the Sentinel server key pair. You do not need to importing the Integrator key pair.
This section provides information about how to use non-FIPS enabled Connectors with a Sentinel server in FIPS 140-2 mode. We recommend this approach if you have sources that do not support FIPS or if you want to collect events from the non-FIPS Connectors in your environment.
To use non-FIPS connectors with Sentinel in FIPS 140-2 mode:
Install a Collector Manager in non-FIPS mode to connect to the Sentinel server in FIPS 140‑2 mode.
For more information, see Section III, Installing Sentinel.
Deploy the non-FIPS Connectors specifically to the non-FIPS remote Collector Manager.
NOTE:There are some known issues when non-FIPS Connectors such as Audit Connector and File Connector are deployed on a non-FIPS remote Collector Manager connected to a Sentinel server in FIPS 140-2 mode. For more information about these known issues, see the Sentinel 8.6 Release Notes.