Workaround to use FIPS mode in Sentinel 7.1.2.0 and 7.2.0.0 on RHEL

  • Document ID:7014980
  • Creation Date:29-Apr-2014
  • Modified Date:21-Nov-2014
    • Micro Focus Products:
      Sentinel

Environment

Sentinel 7.1.2.0
Sentinel 7.2.0.0
Red Hat Enterprise Linux
FIPS

Situation

Connection issues when using FIPS with 7.1.2.0 and 7.2.0.0.
Connection issues with Security Manager in FIPS mode.
Connection issues with Sentinel Agent Manager in FIPS mode.
Possible connection issues with other Sentinel clients in FIPS mode.

Resolution

Until the underlying communication issue with Oracle Java and Red Hat Enterprise Linux running in FIPS mode is resolved the best workaround is to downgrade the Java version to Java 1.7 update 45.  This allows Sentinel to run seamlessly in FIPS mode.  

Steps to downgrade the java version of the Sentinel server.

1) Stop sentinel
 
2) mv $ESEC_HOME/jre $ESEC_HOME/jre_u51
 
3) Download JDK version 7 Update 45 and copy the extracted JRE to $ESEC_HOME/jre
 
    ( 3a ) Download "jdk-7u45-linux-x64.tar.gz" from http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html#jdk-7u45-oth-JPR
 
    ( 3b ) Extract "jdk-7u45-linux-x64.tar.gz" into $ESEC_HOME and move "jdk1.7.0_45/jre" directory as "$ESEC_HOME/jre" by running:
cd <to the directory where jdk-7u45-linux-x64.tar.gz is downloaded
tar -C $ESEC_HOME -zxvf jdk-7u45-linux-x64-tar.gz jdk1.7.0_45/jre
mv $ESEC_HOME/jdk1.7.0_45/jre/ $ESEC_HOME/jre

    ( 3d ) Copy certain files from jre_u51 to the newly created jre directory by running:

cp -a $ESEC_HOME/jre_u51/jvm $ESEC_HOME/jre
cp -a $ESEC_HOME/jre_u51/lib/fonts/arialuni.ttf $ESEC_HOME/jre/lib/fonts/

    ( 3d ) Set the owner, group and other file permissions for the newly created jre directory to novell user by running:
            
chown -R novell:novell $ESEC_HOME/jre 
chmod go-rwx $ESEC_HOME/jre -R
  
4) Start sentinel
 
5) Verify in $ESEC_LOG_HOME/log/server0.0.log whether the new JRE version is used.

Cause

Sentinel 7.1.2 and 7.2.0.0 include Oracle Java 1.7 update 51, which has a known issue related to RSA client key exchange in FIPS mode (http://www.oracle.com/technetwork/java/javase/7u51-relnotes-2085002.html). This causes connection problems when Sentinel is running in FIPS mode and attempting to receive connections from clients like Security manager and Sentinel Agent Manager.

Additional Information

To be able to seamlessly connect using Sentinel Agent Manager Connector with the above mentioned Sentinel versions under FIPS, please download and use Sentinel Agent Manager connector version 2011.1r3 from https://support.novell.com/products/sentinel/secure/sentinelplugins.html