23.1 Configuring Distributed Search in FIPS 140-2 Mode

This section provides information about configuring distributed search in FIPS 140-2 mode.

Scenario 1: Both the source and the target Sentinel servers are in FIPS 140-2 mode

To allow distributed searches across multiple Sentinel servers running in FIPS 140-2 mode, you need to add the certificates used for secure communication to the FIPS keystore.

  1. Log in to the distributed search source computer.

  2. Browse to the certificate directory:

    cd <sentinel_install_directory>/config
  3. Copy the source certificate (sentinel.cer) to a temporary location on the target computer.

  4. Import the source certificate into the target Sentinel FIPS keystore.

    For more information about importing the certificate, see Importing Certificates into FIPS Keystore Database.

  5. Log in to the distributed search target computer.

  6. Browse to the certificate directory:

    cd /etc/opt/novell/sentinel/config
  7. Copy the target certificate (sentinel.cer) to a temporary location on the source computer.

  8. Import the target system certificate into the source Sentinel FIPS keystore.

  9. Restart the Sentinel services on both the source and target computer.

Scenario 2: The source Sentinel server is in non-FIPS mode and the target Sentinel server is in FIPS 140-2 mode

You must convert the Web server keystore on the source computer to the certificate format and then export the certificate to the target computer.

  1. Log in to the distributed search source computer.

  2. Create the Web server keystore in certificate (.cer) format:

    <sentinel_install_directory>/jdk/jre/bin/keytool -export -alias webserver -keystore <sentinel_install_directory>/config/.webserverkeystore.jks -storepass password -file <certificate_name.cer>
  3. Copy the distributed search source certificate (Sentinel.cer) to a temporary location on the distributed search target computer.

  4. Log in to the distributed search target computer.

  5. Import the source certificate into the target Sentinel FIPS keystore.

    For more information about importing the certificate, see Importing Certificates into FIPS Keystore Database.

  6. Restart Sentinel services on the target computer.

Scenario 3: The source Sentinel server is in FIPS mode and the target Sentinel server is in non-FIPS mode

  1. Log in to the distributed search target computer.

  2. Create the Web server keystore in certificate (.cer) format:

    <sentinel_install_directory>/jdk/jre/bin/keytool -export -alias webserver -keystore <sentinel_install_directory>/config/.webserverkeystore.jks -storepass password -file <certificate_name.cer>
  3. Copy the certificate to a temporary location on the distributed search source computer.

  4. Import the target certificate into the source Sentinel FIPS keystore.

    For more information about importing the certificate, see Importing Certificates into FIPS Keystore Database.

  5. Restart the Sentinel services on the source computer.