Presentation is loading. Please wait.

Presentation is loading. Please wait.

IBM Software Group © 2009 IBM Corporation IBM Tivoli Provisioning Manager FIPS Enablement.

Published bySabrina Walton Modified over 7 years ago

Similar presentations

Presentation on theme: "IBM Software Group © 2009 IBM Corporation IBM Tivoli Provisioning Manager FIPS Enablement."— Presentation transcript:

1 IBM Software Group © 2009 IBM Corporation IBM Tivoli Provisioning Manager 7.1.1 FIPS 140-2 Enablement

2 IBM Software Group | Tivoli software © 2009 IBM Corporation Tivoli Provisioning Manager 7.1.1 Topics  Feature Objective (Problems Solved)  Feature Overview  Common Use Cases

3 IBM Software Group | Tivoli software © 2009 IBM Corporation Tivoli Provisioning Manager 7.1.1 TPM 7.1.1 FIPS 140-2 Enablement Objective –Enable TPM to be compliant to the security standards defined by US Federal Information Processing Standard 140-2 (FIPS 140-2).

4 IBM Software Group | Tivoli software © 2009 IBM Corporation Tivoli Provisioning Manager 7.1.1 Topics  Feature Objective (Problems Solved)  Feature Overview  Common Use Cases

5 IBM Software Group | Tivoli software © 2009 IBM Corporation Tivoli Provisioning Manager 7.1.1 FIPS Enablement in TPM 7.1.1: Cryptographic Module  The cryptographic module is supported through the base FIPS compliant base JVM 1.5  Installed by: TPM  Enablement: Automatically by the TPM installer when a FIPS-based install is selected Endpoint with agent Crypto Module Service Access Point (SAP) JVM 1.5 (FIPS140-2) FIPS compliant encrypted credentials TCA Deployment Engine Agent Shell Serve r FIPS compliant SSL CAS DMS CDS MC FIPS compliant SSL Agentless Endpoint Uni x Windows RXA Non FIPS Compliant SMB FIPS Complia nt SSH SSH Windows: Cygwin FIPS compliant encrypted credentials Non FIPS Compliant SSH (OpenSS H) FIPS Complia nt SSH

6 IBM Software Group | Tivoli software © 2009 IBM Corporation Tivoli Provisioning Manager 7.1.1 FIPS Enablement in TPM 7.1.1: SSL  SSL support is provided by the Common Agent Services and associated components  Installed by: TPM (CAS)  Enablement: Automatically by the TPM installer when a FIPS-based install is selected Endpoint with agent Crypto Module Service Access Point (SAP) JVM 1.5 (FIPS140-2) FIPS compliant encrypted credentials TCA Deployment Engine Agent Shell Serve r FIPS compliant SSL CAS DMS CDS MC FIPS compliant SSL Agentless Endpoint Uni x Windows RXA Non FIPS Compliant SMB FIPS Complia nt SSH SSH Windows: Cygwin FIPS compliant encrypted credentials Non FIPS Compliant SSH (OpenSS H) FIPS Complia nt SSH

7 IBM Software Group | Tivoli software © 2009 IBM Corporation Tivoli Provisioning Manager 7.1.1 FIPS Enablement in TPM 7.1.1: SSH  SSH support is provided by either Cygwin (Windows) or openssh (UNIX)  Installed by: Customer  Enablement: NOT done by the TPM installer –SSH code altered and compiled by customer –http://www.openssl.org/ docs/fips/SecurityPolicy -1.2.pdf Endpoint with agent Crypto Module Service Access Point (SAP) JVM 1.5 (FIPS140-2) FIPS compliant encrypted credentials TCA Deployment Engine Agent Shell Serve r FIPS compliant SSL CAS DMS CDS MC FIPS compliant SSL Agentless Endpoint Uni x Windows RXA Non FIPS Compliant SMB FIPS Complia nt SSH SSH Windows: Cygwin FIPS compliant encrypted credentials Non FIPS Compliant SSH (OpenSS H) FIPS Complia nt SSH

8 IBM Software Group | Tivoli software © 2009 IBM Corporation Tivoli Provisioning Manager 7.1.1 FIPS Enablement in TPM 7.1.1: Browser  Client/browser enablement to use TLS instead of SSL  Installed by: Customer  Enablement: NOT done by the TPM installer –Client enablement required Endpoint with agent Crypto Module Service Access Point (SAP) JVM 1.5 (FIPS140-2) FIPS compliant encrypted credentials TCA Deployment Engine Agent Shell Serve r FIPS compliant SSL CAS DMS CDS MC FIPS compliant SSL Agentless Endpoint Uni x Windows RXA Non FIPS Compliant SMB FIPS Complia nt SSH SSH Windows: Cygwin FIPS compliant encrypted credentials Non FIPS Compliant SSH (OpenSS H) FIPS Complia nt SSH

9 IBM Software Group | Tivoli software © 2009 IBM Corporation Tivoli Provisioning Manager 7.1.1 Overview: Limitations 1.TPM 7.1.1 FIPS enablement requires a new install with no migration support from a prior server. 2.The SMB provided by RXA is not FIPS compliant  For the RXA with SMB protocol, it will be used for the discovery operations for Windows. In other words, RXA SMB will still be available in TPM environment even though FIPS mode is enabled. 3.TPMfOSD will not be FIPS compliant in TPM 7.1.1. 4.ITM agent and ITM server SSL communication will not be FIPS compliant in TPM 7.1.1.

10 IBM Software Group | Tivoli software © 2009 IBM Corporation Tivoli Provisioning Manager 7.1.1 Topics  Feature Objective (Problems Solved)  Feature Overview  Common Use Cases

11 IBM Software Group | Tivoli software © 2009 IBM Corporation Tivoli Provisioning Manager 7.1.1 TPM 7.1.1 FIPS 140-2 Enablement Use Cases –Once FIPS is enabled, all relevant cryptography and communications will be FIPS 140-2 compliant. From a use case point of view, this is transparent.

12 IBM Software Group | Tivoli software © 2009 IBM Corporation Tivoli Provisioning Manager 7.1.1

13 IBM Software Group | Tivoli software © 2009 IBM Corporation Tivoli Provisioning Manager 7.1.1 FIPS 140-2 Background The US Federal Information Processing Standard 140-2 (FIPS 140-2) is a cryptographic function validation program defining security standards for cryptographic modules used in IT software. SWG offerings with cryptographic function must meet this certification and compliance requirement so that they can be marketed to the federal sector, which has been identified by IBM as a hyper-growth market space. To achieve this, SWG requires its offerings with cryptographic function to use specific SWG cryptographic modules which have been FIPS 140-2 certified. IBM provides two main strategic FIPS 140 cryptogrpahic software providers to be be used by IBM products, namely Java Cryptographic Extension (IBMJCEFIPS) and IBM Crypto for C (ICC). The providers are certified with FIPS 140-2 by NIST: http://csrc.nist.gov/cryptval/140-1/1401val2004.htmhttp://csrc.nist.gov/cryptval/140-1/1401val2004.htm.

14 IBM Software Group | Tivoli software © 2009 IBM Corporation Tivoli Provisioning Manager 7.1.1 Overview: Official Customer Support Statement TPM 7.1.1 FIPS compliance support consists of: 1.Centralized cryptographic module using FIPS 140-2 compliant providers 2.FIPS 140-2 cryptographic services for credentials in Service Access Point 3.FIPS compliant SSL from Agent Shell Server to TCA 4.FIPS compliant SSL from TCA to CAS, DMS, and DCS MC 5.FIPS compliant SSH between RXA and Unix 6.Limitation: the SMB provided by RXA is not FIPS compliant 7.Limitation: the OpenSSH comes with Cygwin in case of Windows is not FIPS compliant For the RXA with SMB protocol, it will be used for the discovery operations for Windows. In other words, RXA SMB will still be available in TPM environment even FIPS mode is enabled. For the OpenSSH that shipped with the Cygwin, customer requires to install and configure another FIPS compliant SSH product instead of using OpenSSH with Cygwin. Components excluded from FIPS compliance: –TPMfOSD will not be FIPS compliant in TPM 7.1.1. –ITM agent and ITM server SSL communication TPM 7.1.1 FIPS compliance mode is supported only via fresh installation. No FIPS migration from 5.1.1.2 or TPM 7.1 to TPM 7.1.1. Only non-FIPS mode is supported for migration. In addition, FIPS configuration is perform as part of the TPM 7.1.1 installation; it will not be performed as a post-installation step.

Download ppt "IBM Software Group © 2009 IBM Corporation IBM Tivoli Provisioning Manager FIPS Enablement."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Heroix Longitude - multiplatform, automated application performance monitoring and management software.

Heroix Longitude - multiplatform, automated application performance monitoring and management software.
Mobile Devices in the DoD

Mobile Devices in the DoD
McAfee One Time Password

McAfee One Time Password
® © 2006 IBM Corporation Usage of TPM for ITM V6 agent install, upgrade and configuration Mike McIntyre

® © 2006 IBM Corporation Usage of TPM for ITM V6 agent install, upgrade and configuration Mike McIntyre
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Monitor Linux OS health & performance Monitor log files Monitor JEE app servers Monitor line-of-business applications Monitor databases and web.

Monitor Linux OS health & performance Monitor log files Monitor JEE app servers Monitor line-of-business applications Monitor databases and web.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.
TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
BMC Software confidential. BMC Performance Manager Will Brown.

BMC Software confidential. BMC Performance Manager Will Brown.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
PETS – Power Exchange Trading Software Power Exchange Trading Software for Online Bidding, Billing and much more.

PETS – Power Exchange Trading Software Power Exchange Trading Software for Online Bidding, Billing and much more.
Self Paced QBA Advanced Training

Self Paced QBA Advanced Training
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.

Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.
Week #7 Objectives: Secure Windows 7 Desktop

Week #7 Objectives: Secure Windows 7 Desktop
SafeNet Protects Data at Rest

SafeNet Protects Data at Rest
An Introduction to IBM Systems Director

An Introduction to IBM Systems Director
NiagaraAX Framework Version 3.8 Feature Overview

NiagaraAX Framework Version 3.8 Feature Overview
© 2009 PGP Corporation Confidential State of Key Management Brian Tokuyoshi Solution Manager.

© 2009 PGP Corporation Confidential State of Key Management Brian Tokuyoshi Solution Manager.

Similar presentations

Ads by Google