Workaround to use FIPS mode in Sentinel and on RHEL

  • 7014980
  • 29-Apr-2014
  • 21-Nov-2014


Red Hat Enterprise Linux


Connection issues when using FIPS with and
Connection issues with Security Manager in FIPS mode.
Connection issues with Sentinel Agent Manager in FIPS mode.
Possible connection issues with other Sentinel clients in FIPS mode.


Until the underlying communication issue with Oracle Java and Red Hat Enterprise Linux running in FIPS mode is resolved the best workaround is to downgrade the Java version to Java 1.7 update 45.  This allows Sentinel to run seamlessly in FIPS mode.  

Steps to downgrade the java version of the Sentinel server.

1) Stop sentinel
2) mv $ESEC_HOME/jre $ESEC_HOME/jre_u51
3) Download JDK version 7 Update 45 and copy the extracted JRE to $ESEC_HOME/jre
    ( 3a ) Download "jdk-7u45-linux-x64.tar.gz" from
    ( 3b ) Extract "jdk-7u45-linux-x64.tar.gz" into $ESEC_HOME and move "jdk1.7.0_45/jre" directory as "$ESEC_HOME/jre" by running:
cd <to the directory where jdk-7u45-linux-x64.tar.gz is downloaded
tar -C $ESEC_HOME -zxvf jdk-7u45-linux-x64-tar.gz jdk1.7.0_45/jre
mv $ESEC_HOME/jdk1.7.0_45/jre/ $ESEC_HOME/jre

    ( 3d ) Copy certain files from jre_u51 to the newly created jre directory by running:

cp -a $ESEC_HOME/jre_u51/jvm $ESEC_HOME/jre
cp -a $ESEC_HOME/jre_u51/lib/fonts/arialuni.ttf $ESEC_HOME/jre/lib/fonts/

    ( 3d ) Set the owner, group and other file permissions for the newly created jre directory to novell user by running:
chown -R novell:novell $ESEC_HOME/jre 
chmod go-rwx $ESEC_HOME/jre -R
4) Start sentinel
5) Verify in $ESEC_LOG_HOME/log/server0.0.log whether the new JRE version is used.


Sentinel 7.1.2 and include Oracle Java 1.7 update 51, which has a known issue related to RSA client key exchange in FIPS mode ( This causes connection problems when Sentinel is running in FIPS mode and attempting to receive connections from clients like Security manager and Sentinel Agent Manager.

Additional Information

To be able to seamlessly connect using Sentinel Agent Manager Connector with the above mentioned Sentinel versions under FIPS, please download and use Sentinel Agent Manager connector version 2011.1r3 from