Secure Configuration Manager can send events to Sentinel when either or both of the applications are in FIPS mode. For more information about FIPS Mode, see Enabling FIPS Communication.
For information about FIPS mode configuration in Sentinel, see the Sentinel Documentation.
Secure Configuration ManagerSecure Configuration ManagerBy default, Sentinel uses a NSS provider when FIPS mode is enabled. To connect to the server, you need to add the server certificate to Sentinel's NSS truststore.
Secure Configuration ManagerUse keytool to export the certificate to Sentinel NSS truststore from vssl.keystore. Keytool is located by default in the C:\Program Files (x86)\NetIQ\Secure Configuration Manager\Core Services\jre\bin folder.
Secure Configuration ManagerTo export the certificate, enter the following command:
keytool.exe -export -keystore ..\..\etc\vssl.keystore -alias alias_of_keystore_server -file certificate_name.cer
For example:
keytool.exe -export -keystore ..\..\etc\vssl.keystore -alias vsskey -file myserver.cer
On the Sentinel server, copy the certificate file to the tmp folder.
To import the certificate, run the following command:
/usr/bin/certutil -A -d /etc/opt/novell/sentinel/3rdparty/nss -t "CT,CT,CT" -n "name_of_Secure_Configuration_Manager_server" -i /tmp/certificate_name.cer
When prompted, enter the password for the server.
Restart the Sentinel server.
Secure Configuration ManagerSecure Configuration ManagerWhen is in FIPS mode, it uses a NSS provider. You need to import the Sentinel certificate to the NSS database.
To export the Sentinel web server certificate, enter the following command:
/opt/novell/sentinel/jre/bin/keytool -export -keystore .webserverkeystore.jks -alias webserver -file 200.cer
Secure Configuration ManagerTo import the certificate to the server, enter the following command:
certutil.exe -A -d c:\SCMNSS\etc -i "c:\200.cer" -n webserver -t "CT,CT,CT"
Restart NetIQ Core Services.
Secure Configuration ManagerIf Sentinel and are both in FIPS mode, each uses a NSS provider. You need to add each application’s certificate to the other application’s NSS Keystore.
Use keytool to export the certificates. Keytool is located by default in the C:\Program Files (x86)\NetIQ\Secure Configuration Manager\Core Services\jre\bin folder.
Secure Configuration ManagerLog in to the server.
To export the certificate from the NSS store, enter the following command:
c:\Program Files\NetIQ\Secure Configuration Manager\Core Services\jre\bin>keytool.exe -export -keystore ..\..\etc\vssl.keystore -alias vsskey -file alias_of_keystore_server.cer
For example:
c:\Program Files\NetIQ\Secure Configuration Manager\Core Services\jre\bin>keytool.exe -export -keystore ..\..\etc\vssl.keystore -alias vsskey -file myserver.cer
Enter the password or PIN for the NSS FIPS certificate database.
You can also specify the credentials in the nss/keystore/password field in the Advanced tab of the Core Services Configuration Utility.
On the Sentinel server, copy the certificate file to the tmp folder.
To import the certificate, run the following command:
/usr/bin/certutil -A -d /etc/opt/novell/sentinel/3rdparty/nss -t "CT,CT,CT" -n "alias_of_Secure_Configuration_Manager_server" -i /tmp/certificate_name.cer
For example:
/usr/bin/certutil -A -d /etc/opt/novell/sentinel/3rdparty/nss -t "CT,CT,CT" -n "vsskey" -i /tmp/SCMserver.cer
To set the trust flags on Sentinel, enter the following command:
certutil -M -n server_name -t "CT,C,C" -d /etc/opt/novell/sentinel/3rdparty/nss/Restart the Sentinel server.
Log in to the Sentinel server.
To export the certificate from the NSS store, enter the following command:
./keytool -export -keystore .webserverkeystore.jks -alias webserver -file webserver.cer
Secure Configuration ManagerOn the , import the certificate with the following command:
c:\Program Files\NetIQ\Secure Configuration Manager\Core Services\bin>certutil.exe -A -d c:\SCMNSS\etc -i "webserver.cer" -n webserver -t "CT,CT,CT"
To set the certificate flag, enter the following command:
certutil -M -n webserver -t "CT,CT,CT" -d c:\SCMNSS\etc
Restart NetIQ Core Services.