FIPS Compatibility

This page documents specific steps on specific Operating Systems to enable FIPS support which is available from Opsview Monitor 6.5.4.

RHEL 8 Java

While the rest of the Opsview system will happily work on a FIPS enabled server running RedHat Enterprise Linux 8 (RHEL 8), the Opsview Reporting Module requires a Java Runtime configured to not run in FIPS mode due to the incompatibility with FIPS standards that the keystore algorithm (JCEKS) Jasperserver uses.

There are two workarounds to this issue:

  1. Install a new JRE just for Opsview to run in a non-FIPS compliant mode. This will allow any other Java applications on the system to continue running in FIPS mode while allowing the Reporting Module to run.
  2. Configure the currently installed JRE on the Orchestrator machine to run in a non-FIPS compliant mode. This will have the side effect of allowing non-FIPS compliant Java applications on the system.

Note that if there is no Java runtime located on the orchestrator machine, one of the workarounds must be performed so that the Reporting Module has a valid Java installation to use.

To install an Opsview specific Java (Recommended)

Note: these instructions will need to be modified if a later version of the JRE is released

  1. Get the URL of the latest 1.8 OpenJDK release from Red Hat.
933933

Screenshot of the RedHat OpenJDK Download Page

  1. Download the OpenJDK tarball from the above site and transfer it to the Orchestrator host
scp java-1.8.0-openjdk-<version>.portable.jre.el.x86_64.tar.xz orchestrator-hostname:/tmp/
  1. Create the Opsview Java directory
mkdir /opt/opsview/java
  1. Extract the OpenJDK tarball in the newly created Java directory
tar -xf /tmp/java-1.8.0-openjdk-<version>.portable.jre.el.x86_64.tar.xz -C /opt/opsview/java --strip 1
  1. Set security.useSystemPropertiesFile to false in the new Java installation’s java.security file
sed -i.bk "s/^security.useSystemPropertiesFile=true/security.useSystemPropertiesFile=false/g" /opt/opsview/java/lib/security/java.security
  1. Run the check_deploy playbook to ensure that Java is now correctly configured.

Please note that this Java install is currently not managed by Opsview in any way. This means that any security updates will have to be manually installed by rerunning the manual steps listed above.

To configure the System Java to run in in a FIPS non-compliant mode

  1. Run the check_deploy playbook in Opsview Deploy. This will detect the Java runtime that Jasper server will choose to use and raise an alarm if it is not configured as needed.
cd /opt/opsview/deploy/
./bin/opsview-deploy ./lib/playbooks/check-deploy.yml 

....

REQUIRED ACTION RECAP ********************************************************************

[HIGH -> rm-op-44104-rhel8-2-orch] Security flag is set to 'true' on system Java
  | A system Java Runtime (JRE) installation has been located at
  | /usr/lib/jvm/jre-1.8.0-openjdk, but the security flag 'security.useSystemPropertiesFile'
  | is currently set to 'true'.
  | 
  | In order to use the Opsview Reporting module on RedHat 8 with FIPS mode enabled,
  | this flag must either be set to false or an alternative Java installation
  | installed for Opsview's usage.
  | 
  | For more information and instructions, see:
  | https://knowledge.opsview.com/docs/
  1. Edit the configuration file in the specified Java directory. The following sed command creates a backup named java.security.bk.
# In this example, the Java directory is '/usr/lib/jvm/jre-1.8.0-openjdk' as specified by the Deploy in the `REQUIRED ACTION RECAP` output
cd /usr/lib/jvm/jre-1.8.0-openjdk/
sed -i.bk "s/^security.useSystemPropertiesFile=true/security.useSystemPropertiesFile=false/g" lib/security/java.security
  1. Rerun the check_deploy playbook as per step 1 to ensure that Java is now correctly configured.

RHEL 8 Opsview-Agent (NRPE) ciphers

The default anonymous ciphers configured on the Orchestrator and used to communicate with opsview-agent on monitored devices need to be replaced with higher security ones in order for check_nrpe based checks to work in a RHEL8 FIPS environment. The easiest way to accomplish this is to replace the ciphers listed in the NRPE_CIPHERS global variable (Menu => Configuration => Advanced => Variables) with AECDH-AES256-SHA:AECDH-AES128-SHA and run an Apply Changes.

Customers need to ensure that the opsview-agent on the monitored hosts allows this new cipher configuration (see Opsview Agent Security for more details) - they will work with all recent versions of the opsview-agent (v6.0.0 and newer) using the default configuration. This change is not necessary if customers already use authenticated ciphers exclusively.

The need for this change is brought about by the tighter security standards enforced by RHEL8 FIPS ( see Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms - Red Hat Customer Portal ). These new ciphers make use of Elliptic-Curve Cryptography (ECC) which provides enhanced security as well as improved performance.