7.7.3. Configuring a TPS with an HSM in FIPS Mode

  1. Set up the HSM, as described in Section 6.3.9.2, “Using Hardware Security Modules with Subsystems” and the vendor documentation.
  2. Install and configure the TPS, as described in Section 7.6.5, “Setting up TPSs”.
  3. Stop the TPS. The instance must be stopped to protect the information stored in its security databases.
    service pki-tps stop
  4. Replace the SSL subsystem certificate. By default, the installation process puts the certificate on the hardware token, but it should be placed on the software FIPS token.
    1. Open the instance's security database directory.
      cd /var/lib/pki-tps/alias
    2. Using certutil, create a request for a new SSL server certificate.
      certutil -d . -R -s "CN=tps.example.com,OU=pki-tps,O=Example Domain pki-tps" -o sslfips.req -h "NSS Certificate DB" -a
    3. Open the end entities pages for the CA (https://server.example.com:9444/ca/ee/ca), and use the SSL Server Cert Profile to submit the request.
    4. Log into the agent pages (https://server.example.com:9443/ca/agent/ca), and approve the request.
    5. Copy the base 64-encoded certificate on the approval page and save it to a file, such as sslfips.cert.
    6. Check the instance's certificate database to see if an SSL server certificate is already listed.
      certutil -d /var/lib/pki-tps/alias -L
    7. If the certificate exists, then delete it.
      certutil -d /var/lib/pki-tps/alias -D -n "ServerCert nickname"
    8. Import the new SSL server certificate.
      certutil -d /var/lib/pki-tps/alias -A -t "u,u,u" -n "ServerCert tps.example.com - Example Domain pki-tps" -i sslfips.cert -a
    9. Edit the /var/lib/pki-tps/conf/serverCertNick.conf file to contain the nickname of the new certificate, such as ServerCert tps.example.com - Example Domain pki-tps.
    10. Edit the CS.cfg file to replace both references to the SSL server certificate nickname.
      vim /var/lib/pki-tps/conf/CS/cfg
      
      tps.cert.sslserver.nickname= ServerCert server.example.com - Example Domain pki-tps
      tps.sslserver.nickname= ServerCert server.example.com - Example Domain pki-tps
  5. The nss.conf file for the TPS contains a list of virtual servers for the different SSL listening ports for the TPS. Every SSL port must be configured to run under FIPS:
    1. Turn on FIPS.
      #   FIPS Switch:
      #   Enable/Disable FIPS mode
      NSSFIPS on
    2. Uncomment the FIPS cipher suite directive and comment out the standard directive.
      #   SSL Cipher Suite:
      #   List the ciphers that the client is permitted to negotiate.
      #   See the mod_nss documentation for a complete list.
      
      #NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha
      
      #   SSL cipher suite in FIPS mode:
      NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
    3. For each SSL virtual host, turn off the setting to enforce valid certificates:
      NSSEnforceValidCerts off
  6. Add or edit the line for the NSS FIPS database to the TPS's password.conf file.
    vim /var/lib/pki-tps/conf/password.conf
    
    NSS FIPS 140-2 Certificate DB:mypassword
  7. Enable FIPS mode in the NSS software database.
    modutil -dbdir /var/lib/pki-tps/alias -fips true
  8. Verify that FIPS mode has been enabled. The command will return the current FIPS status.
    modutil -dbdir /var/lib/pki-tps/alias modutil -dbdir . -chkfips true
        
    FIPS mode enabled.
  9. Start the TPS.
    service pki-tps start

    NOTE

    Hit the enter key to complete the startup process or the TPS will not start.