7.7.2. Configuring a DRM, OCSP, or TKS with an HSM in FIPS Mode

  1. Set up the HSM, as described in Section 6.3.9.2, “Using Hardware Security Modules with Subsystems” and the vendor documentation.
  2. Install and configure the instance, as described in Section 7.6.4, “Setting up DRMs, OCSPs, and TKSs”.
  3. Stop the instance. The instance must be stopped to protect the information stored in its security databases.
    service instance_name stop
  4. Replace the SSL subsystem certificate. By default, the installation process puts the certificate on the hardware token, but it should be placed on the software FIPS token.
    1. Open the instance's security database directory.
      cd /var/lib/instance_name/alias
    2. Using certutil, create a request for a new SSL server certificate.
      certutil -d . -R -s "CN=server.example.com,OU=instance_name,O=Example Domain instance_name" -o sslfips.req -h "NSS Certificate DB" -a
    3. Open the end entities pages for the CA (https://server.example.com:9444/ca/ee/ca), and use the SSL Server Cert Profile to submit the request.
    4. Log into the agent pages (https://server.example.com:9443/ca/agent/ca), and approve the request.
    5. Copy the base 64-encoded certificate on the approval page and save it to a file, such as sslfips.cert.
    6. Check the instance's certificate database to see if an SSL server certificate is already listed.
      certutil -d /var/lib/instance_name/alias -L
    7. If the certificate exists, then delete it.
      certutil -d /var/lib/instance_name/alias -D -n "ServerCert nickname"
    8. Import the new SSL server certificate.
      certutil -d /var/lib/instance_name/alias -A -t "u,u,u" -n "ServerCert server.example.com - Example Domain instance_name" -i sslfips.cert -a
    9. Edit the /var/lib/instance_name/conf/serverCertNick.conf file to contain the nickname of the new certificate, such as ServerCert server.example.com - Example Domain instance_name.
    10. Edit the CS.cfg file to replace both references to the SSL server certificate nickname.
      vim /var/lib/instance_name/conf/CS/cfg
      
      type.cert.sslserver.nickname= ServerCert server.example.com - Example Domain instance_name
      type.sslserver.nickname= ServerCert server.example.com - Example Domain instance_name
    11. Edit the server.xml file to enable FIPS mode for each SSL-enabled connector. Set strictCiphters to true and add or set ssl3 to false. For example:
      vim /var/lib/instance_name/conf/server.xml
      
      <Connector name="Agent" port="11443" maxHttpHeaderSize="8192"
              ...
              ...
              sslOptions="ssl2=false,ssl3=false,tls=true"
              strictCiphers="true"
              ...
      >
    12. Enable FIPS mode in the NSS software database.
      modutil -dbdir /var/lib/instance_name/alias -fips true
    13. Verify that FIPS mode has been enabled. The command will return the current FIPS status.
      modutil -dbdir /var/lib/instance_name/alias modutil -dbdir . -chkfips true
          
      FIPS mode enabled.
    14. Start the instance.
      service instance_name start