Enable FIPS in a new deployment

This section describes how to enable FIPS in a new Web Help Desk 12.7.3 deployment. In this deployment, Web Help Desk is installed on a host server for the first time.

All cryptographic modules incorporated in Web Help Desk 12.6 and later are FIPS 140-2 compliant.

Task 1: Review the requirements

Verify that your Web Help Desk deployment meets all component requirements for enabling FIPS 140-2 compliant cryptography.

Task 2: Download Web Help Desk 12.7.2

Download Web Help Desk 12.7.2 from the Customer Portal. This version includes:

  • NSS binaries
  • An empty NSS database in FIPS mode
  • A security provider configuration file

The NSS-related files are stored in your <WebHelpDesk> home directory.

Task 3: Install Web Help Desk 12.7.2 in your deployment

See the Web Help Desk Installation and Upgrade Guide for details on how to install Web Help Desk on your Microsoft Windows server. The installer will install the NSS directory for you.

After you complete the installation steps, a window opens in your default browser, prompting you to select a database. Do not select any database type.

You will continue the Getting Started Wizard in a later step.

Task 4: Back up the FIPS-related directories on the Web Help Desk server to another location

  1. Log in to the Web Help Desk server.
  2. Navigate to the <WebHelpDesk>\bin directory.
  3. Back up the nss-x64 directory to a separate location.
  4. Navigate to the <WebHelpDesk>\conf directory.
  5. Back up the fips-140-2 directory to a separate location.

Task 5: Upgrade to Web Help Desk 12.7.3

See the Web Help Desk Installation and Upgrade Guide for details on how to install Web Help Desk on your Microsoft Windows server.

After you complete the installation steps, a window opens in your default browser, prompting you to select a database. Do not select any database type.

You will continue the Getting Started Wizard in a later step.

Task 6: Copy the NSS directory back to the Web Help Desk server

  1. Navigate to the Web Help Desk server.
  2. Copy the backup nss-x64 directory to the <WebHelpDesk>\bin directory.

Task 7: Install Visual C++ Redistributable Packages for Visual Studio 2013

This software is included with your Web Help Desk 12.7.3 installation package.

When you execute the installer, it installs the runtime components required to run C++ applications in Microsoft Visual Studio 2013 for a 64-bit environment.

  1. Navigate to your <WebHelpDesk> directory.
  2. Launch the vcredist_64.exe file.
  3. Follow the prompts in the wizard to install the software.

Task 8: Update the Environment Variables Path setting in your Windows Server operating system

The following procedure describes how to edit the Environment Variables settings in your Windows Server operating system. When completed, you can run Web Help Desk commands in a command prompt without having to change directories in the prompt.

See the Microsoft Docs website for information about locating the Environment Variables properties in your operating system

  1. Press <Windows> + <Pause>.
  2. Click Advanced System Settings.
  3. Click the Advanced tab.
  4. Click Environment Variables.
  5. Under System Variables, select the PATH variable.
  6. Update the PATH string with the following path to your nss-x64 library:

    <WebHelpDesk>\bin\nss-x64\bin\;

    <WebHelpDesk>\bin\nss-x64\lib\;

    where <WebHelpDesk> is the path to your Web Help Desk directory.

    Below is an example of the system PATH variable.

    %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\110\DTS\Binn\;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\;C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn\

    When you append the path with your nss-x64 library path, the path displays as follows:

    C:\Program Files\WebHelpDesk\bin\nss-x64\bin\;C:\Program Files\WebHelpDesk\bin\nss-x64\lib\%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\110\DTS\Binn\;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\;C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn\

Task 9: Enable FIPS mode on your Apache Tomcat server

In the following procedures, <WebHelpDesk> represents the Web Help Desk home folder on your system.

For example:

c:\Program Files\WebHelpDesk

Stop Web Help Desk

  1. Navigate to the <WebHelpDesk> directory.
  2. Right-click whd_stop.bat and select Run as administrator.

    Web Help Desk is stopped.

Install the preconfigured Web Help Desk files for FIPS deployment

When completed, you can use the drag and drop feature to configure FIPS.

  1. Navigate to the following directory:

    <WebHelpDesk>\conf\additional\fips-140-2\WebHelpDesk - clean install

  2. Copy all files, including the \bin and \conf directories.
  3. Navigate to the <WebHelpDesk> directory.
  4. Paste your copied files into the directory, overwriting all existing files.

    If you are prompted to copy the tomcat_server_template.xml file, choose the copy and replace option.

Edit the hosts file

Edit the hosts file to allow the local domain to be resolved correctly.

  1. Determine if you want to define a host name specifically for Web Help Desk that is different from the real server host name registered in DNS.

    If you are using the existing host name, go to Edit the whd.conf file.

    If you are defining a new host name, go to step 2.

  2. Open the following file in a text editor: 

    C:\Windows\System32\drivers\etc\hosts

  3. Add the following string in the file:

    127.0.0.1 mywebhelpdesk.mydomain

    where mywebhelpdesk.mydomain is the domain name you chose for WebHelpDesk and will be used for the remaining procedures.

  4. Save and close the file.

Edit the whd.conf file

  1. Open the following file in a text editor:

    <WebHelpDesk>\conf\whd.conf

  2. Ensure that the following string is uncommented and includes a port number that is not occupied by another process:

    HTTPS_PORT=443

  3. Locate and follow the instructions in the # Privileged networks section to populate PRIVILEGED_NETWORKS= with the IP address or IP address range where the Web Help Desk host belongs.

    Use a valid IP address and not a loopback address.

    For example:

    PRIVILEGED_NETWORKS=10.20.30.40

    or

    PRIVILEGED_NETWORKS=10.20.30.*

  4. Add the following WHD_HOST variable:

    WHD_HOST=mywebhelpdesk.mydomain

    where mywebhelpdesk.mydomain is the domain name you chose for your installation.

  5. Save and close the file.
  6. If you are installing Web Help Desk in the default <WebHelpDesk> directory, go to Create a Web Help Desk server certificate.

    If you are installing Web Help Desk in another location, edit the following files:

    • tomcat_server_template.xml
    • java.security
    • pkcs11_nss.cfg

Edit the tomcat server template xml file

Beginning in Web Help Desk 12.7.3, TLS 1.2 is enabled by default to improve application security. In some cases, you may need to implement TLS 1.1 to support FIPS mode or legacy computer systems that do not support the TLS 1.2 protocol.

Edit the tomcat_server_template.xml file based on where you installed Web Help Desk.

Web Help Desk is installed in the default directory

If you are installing Web Help Desk in the default <WebHelpDesk> directory, re-enable TLS 1.1 in the file to support your legacy systems.

  1. Open the following file in a text editor:

    <WebHelpDesk>\conf\tomcat_server_template.xml

  2. Locate the WEBHELPDESK_SSL_PORT settings.
  3. Locate sslProtocol in the file. There are two occurrences in the file.
  4. Add TLSv1.1 to the first occurrence.

    Change:

    clientAuth="false sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"

    to

    clientAuth="false sslProtocol="TLS" sslEnabledProtocols="TLSv1.1, TLSv1.2"

  5. Repeat step 4 for the second occurrence.
  6. Save the file.
  7. Go to Create a Web Help Desk server certificate.

Web Help Desk is installed in another location

If you are installing Web Help Desk in another location, update the path to the nss-x64 in the tomcat_server_template.xml file.

  1. Open the following file in a text editor:

    <WebHelpDesk>\conf\tomcat_server_template.xml

  2. Locate the SSL HTTP/1.1 connector section, as shown below.
    <!-- Define a SSL HTTP/1.1 Connector on port @@@WEBHELPDESK_SSL_PORT@@@
    This connector uses the JSSE configuration, when using APR, the
    connector should be using the OpenSSL style configuration
    described in the APR documentation.
    @@@WEBHELPDESK_SSL_START@@@
    ...
    ...
    @@@WEBHELPDESK_SSL_STOP@@@ -->
  3. Update the path to the nss-x64 in the code.
    1. Locate the following path:

      c:\\Program Files\\WebHelpDesk\\

    2. Replace this path with the path to your Web Help Desk installation.

      Be sure to include the double slashes ( \\ ) as path delimiters.

  4. Re-enable TLS 1.1 in the file to support your legacy systems.
    1. Locate sslProtocol in the file. There are two occurrences in the file.
    2. Add TLSv1.1 to the first occurrence.

      Change:

      clientAuth="false sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"

      to

      clientAuth="false sslProtocol="TLS" sslEnabledProtocols="TLSv1.1, TLSv1.2"

    3. Repeat step 4 for the second occurrence.
  5. Save and close the file.

(Optional) Edit the java.security file

If you are installing Web Help Desk in the default <WebHelpDesk> directory, go to Create a Web Help Desk server certificate.

If you are installing Web Help Desk in another directory, update the java.security file with the appropriate path.

  1. Navigate to the following directory:

    <WebHelpDesk>\bin\jre\lib\security

  2. Open the java.security file in a text editor.
  3. In the file, locate the following path:

    c:\\Program\ Files\\WebHelpDesk\\

  4. Replace this path with the path to your Web Help Desk installation.

    Be sure to include the double slashes ( \\ ) as path delimiters. Also, use single slashes for escape spaces.

    For example: 

    Program\ Files

(Optional) Edit the pkcs11_nss.cfg file

If you are installing Web Help Desk in the default <WebHelpDesk> directory, go to Create a Web Help Desk server certificate.

If you are installing Web Help Desk in a different location, perform the following steps: 

  1. Open the following file in a text editor:

    <WebHelpDesk>\bin\nss-x64\config\pkcs11_nss.cfg

  2. Locate the following strings:

    nssLibraryDirectory = "c:\\Program Files\\WebHelpDesk\\bin\\nss-x64\\lib"

    nssSecmodDirectory = "c:\\Program Files\\WebHelpDesk\\bin\\nss-x64\\dbnss"

  3. In each string, replace:

    c:\\Program Files\\WebHelpDesk

    with the path to your Web Help Desk installation.

    Be sure to include the double slashes ( \\ ) as path delimiters.

  4. Save and close the file.

Task 10: Create a Web Help Desk server certificate

This procedure describes how to obtain a signed certificate by a trusted Certificate Authority (CA) or create and use a self-signed certificate.

Creating a self-signed certificate should only be used in test environments and is not recommended for production environments.

To create a Web Help Desk server certificate, select one of the following options: 

If you currently have a signed certificate for your NSS database, you can skip this procedure.

Before you begin

If you are running Internet Explorer to access Web Help Desk, add your Web Help Desk URL as a trusted site or designate the URL as an Intranet connection in the security settings. This process prevents the default security settings in Internet Explorer from blocking JavaScript code used for navigating through the Getting Started Wizard.

Obtain a signed certificate by a trusted CA

  1. Locate and open the copy_paste.txt file located at:

    <WebHelpDesk>\conf\additional\fips-140-2\WebHelpDesk - clean install

    This file contains code for the proceeding steps.

  2. Generate a certificate sign request using the NSS tools.
    1. Open a command prompt window.
    2. At the prompt, enter:

      cd c:\Program Files\WebHelpDesk\bin\nss-x64\bin\

    3. Create a certificate signing request.
    4. The default password to your NSS database is P@ssw0rd.

      Copy and paste the following code from the copy-paste.txt file to the command prompt and execute:

      .\certutil -R -s CN=mywebhelpdesk.mydomain, O=My_company, L=My_location, ST=My_state, C=My_country -p My_phone -o "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.req" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss" -Z SHA256			

      where mywebhelpdesk.mydomain is your Web Help Desk domain name and My_location, My_state, and so on is specific to your deployment.

      Change the path to mycert.req if you want to use a different location.

  3. Send the generated file to a trusted CA (such as Verisign) to validate the certificate identity.

    The CA validates the certificate, and then sends the validated certificate back to you. This process may require several weeks to complete.

  4. Import the certificate into your NSS database.
    1. Open a command prompt window.
    2. At the prompt, enter:

      cd c:\Program Files\WebHelpDesk\bin\nss-x64\bin\

    3. Copy and paste the following code from the copy-paste.txt file to the command prompt and execute:
    4. .\certutil -A -n tomcat -t "TCu,TCu,TCu" -i "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.crt" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss"	

      Change the path to mycert.crt if you want to use a different location.

    5. When prompted, enter the password to your NSS database.

      The default password is:

      P@ssw0rd

    6. Verify that the certificate is stored in your NSS database.

      At the prompt, execute:

      .\certutil -L -d ../dbnss

  5. Go to Complete the installation.

Create and use a self-signed certificate

Perform the following procedure only if you did not obtain a signed certificate by a trusted Certificate Authority (CA).

The default password to your NSS database is P@ssw0rd.

  1. Locate and open the copy-paste.txt file located at <WebHelpDesk>\conf\additional\fips-140-2\.

    This file contains code for the proceeding steps.

  2. Open a command prompt and navigate to:

    <WebHelpDesk>\bin\nss-x64\bin\

  3. Create a certificate signing request.

    Copy and paste the following code from the copy-paste.txt file to the command prompt and execute:

    .\certutil -R -s CN=mywebhelpdesk.mydomain, O=My_company, L=My_location, ST=My_state, C=My_country -p My_phone -o
    "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.req" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss" -Z SHA256

    where:

    • mywebhelpdesk.mydomain is the Web Help Desk domain name you configured for the WHD_HOST variable in the whd.conf file.
    • My_location, My_state, and so on is specific to your deployment.
    • c:\Program Files\WebHelpDesk is the location of your current Web Help Desk installation.

      Adjust this path if your Web Help Desk software is installed in a non-standard location.

    Change the path to mycert.req if you want to use a different location.

  4. Follow the prompts after each .\certutil command line to complete the certificate signing request.

    When prompted for the default NSS database password, enter:

    P@ssw0rd

  5. Create a certificate called myissuer that will be used as the local CA to sign the tomcat certificate.

    Copy and paste the following code from the copy-paste.txt file to the command prompt and execute:

    .\certutil -S -s "CN=My Issuer" -n myissuer -x -t "TCu,TCu,TCu" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss" -Z SHA256

    where c:\Program Files\WebHelpDesk is the location of your current Web Help Desk installation.

    Adjust this path if your Web Help Desk software is installed in a non-standard location.

  6. Sign your certificate request.

    Copy and paste the following code from the copy-paste.txt file to the command prompt and execute:

    .\certutil -C -i "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.req" -o "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.crt" -c myissuer -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss" -Z SHA256

    where c:\Program Files\WebHelpDesk is the location of your current Web Help Desk installation.

    Adjust this path if your Web Help Desk software is installed in a non-standard location.

    Change the path to mycert.crt if you want to use a different location.

    When completed, a success message will not appear in the command prompt.

  7. Import the self-signed certificate into your NSS database.

    Change the path to mycert.crt if you want to use a different location.

    Copy and paste the following code from the copy-paste.txt file to the command prompt and execute: 

    .\certutil -A -n tomcat -t "TCu,TCu,TCu" -i "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.crt" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss"

    where c:\Program Files\WebHelpDesk is the location of your current Web Help Desk installation.

    Adjust this path if your Web Help Desk software is installed in a non-standard location.

    When completed, a success message will not appear in the command prompt.

  8. Close the command prompt window.
  9. Start Web Help Desk.

    Navigate to your <WebHelpDesk> directory, right-click whd.bat start, and select Run as administrator.

    If you configured a default web browser, the browser opens a new window.

    The following steps describe how to import certificates into your Trusted Root CA and Trusted Publishers stores using Internet Explorer 11 or later. If Google Chrome is your default web browser, the certificate is recognized.

  10. Open Internet Explorer and navigate to:

    https://mywebhelpdesk.mydomain

    where mywebhelpdesk.mydomain is your Web Help Desk domain name.

    A certificate error message displays.

  11. Import the CA certificate into the Trusted Root CA store of your operating system.
    1. In your web browser, click Proceed anyway.
    2. Double-click Certificate error.
    3. Click View Certificate and select Certification path tab > My Issuer > View Certificate > Install Certificate.
    4. Select Local Machine > TRUSTED ROOT CERTIFICATION AUTHORITIES and click Next.
    5. Click Finish.
    6. Click OK.
  12. Import the server certificate into the Trusted Publishers store.
    1. In your web browser, click Proceed anyway.
    2. In your web browser, double-click Certificate error.
    3. Click View Certificate and select General tab > Install Certificate.
    4. Select Local Machine > TRUSTED PUBLISHERS and click Next.
    5. Click Finish.
    6. Press F5 to refresh the web page.

      If Web Help Desk is not loaded after pressing F5, stop and then restart Web Help Desk.

Task 11: Complete the installation

  1. In the Getting Started Wizard, select the embedded database option.
  2. Complete the remaining steps in the Getting Started Wizard.
  3. Navigate to your Web Help Desk URL.
  4. Log in to Web Help Desk using admin as your user name and password.
  5. In the toolbar, click Setup and select General > Options.
  6. In the Server DNS Name field, enter your Web Help Desk fully qualified domain name.
  7. Set Force HTTPS to Always.
  8. Click Save.
  9. Update your Web Help Desk password to a secure password.
  10. Activate your Web Help Desk license.

Task 12: Set up SolarWinds Integration and email

If you are using self-signed certificates in your SolarWinds Integration servers, email servers, or primary tools, add these certificates in the Web Help Desk NSS database.

Below is an example for an Orion connection

  1. Open a Web browser window and navigate to:

    https://ORION_IP_Address:17778/SolarWinds/InformationService/v3/OrionBasic/

  2. Export the certificate into a file in CER format.

    1. Click the lock icon next to the URL address and select Certificate Information > Details > Copy to File.
    2. Follow the prompts in the export wizard, selecting the .der format of the exported certificate.
  3. Open a command prompt window.

    At the prompt, enter:

    cd c:\Program Files\WebHelpDesk\bin\nss-x64\bin\

  4. Import the certificate.

    At the prompt, enter:

    certutil -A -t "CT,C,C" -d ..\dbnss -n orion_cert -i c:\<path_to_exported_cert>\previously_exported_cert.cer