10.3 FIPS in Data Federation

This section provides information about configuring distributed search in FIPS 140-2 mode.

Scenario 1: Both the source and the target Change Guardian Servers are in FIPS 140-2 mode

To allow distributed searches across multiple Change Guardian servers running in FIPS 140-2 mode, you need to add the certificates used for secure communication to the FIPS keystore.

  1. Log in to the distributed search source computer.

  2. Browse to the certificate directory: 

    cd /etc/opt/novell/sentinel/config/

  3. Copy the source certificate (sentinel.cer) to a temporary location on the target computer.

  4. Import the source certificate into the target server’s FIPS keystore.

    For more information about importing the certificate, see Import certificates into the FIPS Keystore Database:.

  5. Log in to the distributed search target computer.

  6. Browse to the certificate directory: 

    cd /etc/opt/novell/sentinel/config

  7. Copy the target certificate (sentinel.cer) to a temporary location on the source computer.

  8. Import the target system certificate into the source server’s FIPS keystore.

  9. Restart Change Guardian service on both the source and target computers: rcsentinel restart

Scenario 2: The source Change Guardian Server is in non-FIPS mode and the target Change Guardian Server is in FIPS 140-2 mode

You must convert the Web server keystore on the source computer to the certificate format and then export the certificate to the target computer.

  1. Log in to the distributed search source computer.

  2. Create the Web server keystore in certificate (.cer) format:

    /opt/novell/sentinel/jdk/jre/bin/keytool -export -alias webserver -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password -file <certificate_name.cer>

  3. Copy the certificate to a temporary location on the distributed search target computer.

  4. Log in to the distributed search target computer.

  5. Import the source certificate into the target server’s FIPS keystore.

    For more information about importing the certificate, see Import certificates into the FIPS Keystore Database:.

  6. Restart Change Guardian Service service on the target computer:rcsentinel restart

Scenario 3: The source Change Guardian Server is in FIPS mode and the target Change Guardian Server is in non-FIPS mode

  1. Log in to the distributed search target computer.

  2. Create the Web server keystore in certificate (.cer) format:

    /opt/novell/sentinel/jdk/jre/bin/keytool -export -alias webserver -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password -file <certificate_name.cer>

  3. Copy the certificate to a temporary location on the distributed search source computer.

  4. Import the target certificate into the source server’s FIPS keystore.

    For more information about importing the certificate, see Import certificates into the FIPS Keystore Database:.

  5. Restart Change Guardian service on the source computer:rcsentinel restart

10.3.1 Import certificates into the FIPS Keystore Database:

  1. Copy the certificate file to any temporary location on the Change Guardian server or remote Collector Manager.

  2. chown novell:novell /<path to certificate>

  3. chmod 644 /<path to certificate>

  4. Browse to the Sentinel bin directory. The default location is /opt/novell/sentinel/bin.

  5. Run the following command to import the certificate into the FIPS keystore database, and then follow the on-screen instructions:.

    ./convert_to_fips.sh -i <certificate file path>

  6. Enter yes or y when prompted to restart the Change Guardian server or remote Collector Manager.