Secure Configuration Manager can send events to Sentinel when either or both of the applications are in FIPS mode. For more information about FIPS Mode, see Enabling FIPS Communication.
For information about FIPS mode configuration in Sentinel, see the Sentinel Documentation.
By default, Sentinel uses a NSS provider when FIPS mode is enabled. To connect to the Secure Configuration Manager server, you need to add the Secure Configuration Manager server certificate to Sentinel's NSS truststore.
Use keytool to export the Secure Configuration Manager certificate to Sentinel NSS truststore from vssl.keystore. Keytool is located by default in the C:\Program Files (x86)\NetIQ\Secure Configuration Manager\Core Services\jre\bin folder.
To export the Secure Configuration Manager certificate, enter the following command:
keytool.exe -export -keystore ..\..\etc\vssl.keystore -alias alias_of_keystore_server -file certificate_name.cer
For example:
keytool.exe -export -keystore ..\..\etc\vssl.keystore -alias vsskey -file myserver.cer
On the Sentinel server, copy the certificate file to the tmp folder.
To import the certificate, run the following command:
/usr/bin/certutil -A -d /etc/opt/novell/sentinel/3rdparty/nss -t "CT,CT,CT" -n "name_of_Secure_Configuration_Manager_server" -i /tmp/certificate_name.cer
When prompted, enter the password for the server.
Restart the Sentinel server.
When Secure Configuration Manager is in FIPS mode, it uses a NSS provider. You need to import the Sentinel certificate to the Secure Configuration Manager NSS database.
To export the Sentinel web server certificate, enter the following command:
/opt/novell/sentinel/jre/bin/keytool -export -keystore .webserverkeystore.jks -alias webserver -file 200.cer
To import the certificate to the Secure Configuration Manager server, enter the following command:
certutil.exe -A -d c:\SCMNSS\etc -i "c:\200.cer" -n webserver -t "CT,CT,CT"
Restart NetIQ Core Services.
If Sentinel and Secure Configuration Manager are both in FIPS mode, each uses a NSS provider. You need to add each application’s certificate to the other application’s NSS Keystore.
Use keytool to export the certificates. Keytool is located by default in the C:\Program Files (x86)\NetIQ\Secure Configuration Manager\Core Services\jre\bin folder.
Log in to the Secure Configuration Manager server.
To export the certificate from the NSS store, enter the following command:
c:\Program Files\NetIQ\Secure Configuration Manager\Core Services\jre\bin>keytool.exe -export -keystore ..\..\etc\vssl.keystore -alias vsskey -file alias_of_keystore_server.cer
For example:
c:\Program Files\NetIQ\Secure Configuration Manager\Core Services\jre\bin>keytool.exe -export -keystore ..\..\etc\vssl.keystore -alias vsskey -file myserver.cer
Enter the password or PIN for the NSS FIPS certificate database.
You can also specify the credentials in the nss/keystore/password field in the Advanced tab of the Core Services Configuration Utility.
On the Sentinel server, copy the certificate file to the tmp folder.
To import the certificate, run the following command:
/usr/bin/certutil -A -d /etc/opt/novell/sentinel/3rdparty/nss -t "CT,CT,CT" -n "alias_of_Secure_Configuration_Manager_server" -i /tmp/certificate_name.cer
For example:
/usr/bin/certutil -A -d /etc/opt/novell/sentinel/3rdparty/nss -t "CT,CT,CT" -n "vsskey" -i /tmp/SCMserver.cer
To set the trust flags on Sentinel, enter the following command:
certutil -M -n server_name -t "CT,C,C" -d /etc/opt/novell/sentinel/3rdparty/nss/Restart the Sentinel server.
Log in to the Sentinel server.
To export the certificate from the NSS store, enter the following command:
./keytool -export -keystore .webserverkeystore.jks -alias webserver -file webserver.cer
On the Secure Configuration Manager, import the certificate with the following command:
c:\Program Files\NetIQ\Secure Configuration Manager\Core Services\bin>certutil.exe -A -d c:\SCMNSS\etc -i "webserver.cer" -n webserver -t "CT,CT,CT"
To set the certificate flag, enter the following command:
certutil -M -n webserver -t "CT,CT,CT" -d c:\SCMNSS\etc
Restart NetIQ Core Services.