7018187: SAM connector Not Working in FIPS mode

This document (7018187) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Sentinel 7.4 Agent Manager Connector

Situation

When Sentinel server is converted to run in the FIPS mode, the existing default certificate of SAM connector will be disabled and

SAM Connector will get the Sentinel server certificate that is stored in the NSS keystore database.
In FIPS mode, all the components of the Sentinel server (Collector Manager, Correlation Engine, all the Connectors etc) will use the
only one certificate that is there in the NSS keystore database. The certificate that is stored in the NSS keystore database is
webserver certificate.
Since webserver certificate does not contain the certificate extension (Subject Alternative Name) field, the Unix Agents will fail
to communicate with the SAM Connector when the IP/Host used in Unix Agent and the Subject name of the webserver certificate differs.
If the webserver certificate subject name contain the host-name, then Unix Agent will be able to communicate with the Sentinel (SAM
Connector) server only with the host-name.

Resolution



1. Stop the Sentinel service:

rcsentinel stop





2. Generate a key pair with the alias webserver in a JKS format key store using the following command
keytool -genkey –dname <distinguished_name> -alias webserver -validity <validity_period_in_days> -storetype JKS –keystore <keystore_name> -storepass <keystore_password> -keypass <key_password> -keyalg RSA -ext san = <dns,ip>

Example:
keytool -genkey -dname “cn=sentinel-server.acme.com, o=acme” -alias webserver -validity 365 -storetype JKS -keystore sam_connector.jks -storepass password -keypass password -keyalg RSA -ext san=dns sentinel-server.acme.com,ip:1.2.3.4

3. Convert the key pair from JKS format to PKCS12 format
keytool -noprompt -importkeystore -srcstorepass <source_keystore_password> -deststorepass <destination_keystore_password> -srckeystore sam_connector.jks -srcalias webserver -destkeystore <destination_keystore_name> -deststoretype PKCS12


Note:You must use the same password that you used in Step 2.


Example:


keytool -noprompt -importkeystore -srcstorepass password –deststorepass password -srckeystore sam_connector.jks -srcalias webserver -destkeystore sam_connector.p12 -deststoretype PKCS12
4. Delete the webserver key pair from the Sentinel FIPS keystore database
certutil -F -n “webserver” -d <FIPS_keystore_database _path>


Example:
certutil -F -n “webserver” -d /etc/opt/novell/sentinel/3rdparty/nss
5. Insert the key pair from the PKCS12 keystore (created in Step 3) into the Sentinel FIPS keystore database
pk12util -d <FIPS_keystore_database _path> -i <p12_keystore_name> -W <p12_keystore_password> -K <FIPS_keystore_database_password> -n webserver


Note: The argument to –W must be the same as the argument to –deststorepass in Step 3.
The argument to –K is the current password for the Sentinel FIPS keystore database that you chose when you set up FIPS mode.


Example:


pk12util -d “/etc/opt/novell/sentinel/3rdparty/nss” -i sam_connector.p12 -W password -K Novell@123 -n webserver


Note: Ensure that the files under the /etc/opt/novell/sentinel/3rdparty/nss directory have the owner as novell:novell and have read permission to all the users.
To set ownership, execute the following command: chown –R novell:novell “/etc/opt/novell/sentinel/3rdparty/nss”
To set read permissions for all users, execute the following command: chmod –R a+r “/etc/opt/novell/sentinel/3rdparty/nss”
6. Start the Sentinel server service


rcsentinel start




Cause

Unix Agents will fail to communicate with the SAM Connector when the IP/Host used in Unix Agent and the Subject name of the webserver certificate differs.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

Leave a Reply