Enable FIPS in an existing deployment

This section describes how to enable FIPS in a Web Help Desk 12.7.2, 12.7.3, or 12.7.4 deployment. Follow the procedures in this section to enable your existing deployment to FIPS 140-2 compliance. When you are finished, you can upgrade to version 12.7.5.

Enabling FIPS 140-2 compliant cryptography in an existing deployment is optional and is not required to continue using Web Help Desk. Your database is still protected from unauthorized users, whether or not you use this feature. You can maintain your current deployment configuration if you believe that your corporate enterprise is secure and does not require the added security of FIPS 140-2 cryptography.

In this section, <WebHelpDesk> represents the Web Help Desk home folder on your system. For example: c:\Program Files\WebHelpDesk.

Before you begin

Contact SolarWinds Technical Support if you need assistance with enabling FIPS in your existing deployment.

Before you enable FIPS in your existing deployment, do the following: 

  1. Back up your Web Help Desk deployment.
  2. Verify that your Windows operating system and database software meets the component requirements for FIPS 140-2 compliant cryptography.
  3. Verify that your database is not connected to Web Help Desk using an SSL connection.
  4. Back up your Web Help Desk database and the following resources:

    Directory Description
    <WebHelpDesk>\bin\nss-x64 Contains the Network Security Services (NSS) libraries required to enable FIPS.
    <WebHelpDesk>/conf/.whd.properties Contains the Web Help Desk configuration properties.

After you complete the steps in this section, upgrade to Web Help Desk 12.7.5.

See Upgrade Web Help Desk to the latest version located in the Web Help Desk Installation and Upgrade Guide for instructions.

Task 1: Download the upgrade and migration packages

  1. Log in to the Customer Portal.
  2. Click Download Product > Download.
  3. In the Products and Licenses drop-down menus, select Web Help Desk (WHD) and your product license tier.
  4. Download the following software: 

    • Web Help Desk v12.7.5 migration package
    • Web Help Desk v12.7.5
  5. Extract the ZIP files to your desktop.

Task 2: Check your current configuration

  1. Log in to the Web Help Desk Administrator Console as an administrator.
  2. Click Setup > General > System Information.
  3. In the Web Help Desk Version row, verify that 12.7.2, 12.7.3, or 12.7.4 displays as the current version.
  4. Under General, click Authentication.
  5. In the FIPS Compliant Cryptography row, verify that FIPS is enabled.
  6. Log out of the Web Help Desk Administrator Console.

Task 3: Create a new keystore for the FIPS cryptography provider

Java uses the cacerts keystore to store the public certificates of all root Certificates of Authority (CAs), To support the FIPS cryptography provider, perform the following steps to convert the cacerts keystore to a BCKFS keystore and create the server.cer certificate for the keystore.

  1. Open a command prompt and select Run an administrator.
  2. Run the migration.bat file.

    1. At the command prompt, change the directory to:

      C:\Users\your_name\Desktop\migration_directory

      where migration_directory is the extracted directory you downloaded from the Customer Portal.

    2. At the prompt, execute:

      migrate.bat "C:\Program Files\WebHelpDesk" P@ssw0rd changeit

      where P@ssw0rd is the NSS database password and changeit is the BCKFS keystore password.

      Record these passwords for a later step.

      The application generates the keystore.bckfs and cacerts.bckfs certificates to enable the new FIPS provider. These certificates are copied to the <WebHelpDesk> directory.

  3. Back up these certificates to a separate location.
  4. Leave the command prompt window open.

Task 4: Upgrade to the latest release

After you create the new keystore and certificate, run the Web Help Desk12.7.5 upgrade installer.

See Upgrade Web Help Desk to the latest version located in the Web Help Desk Installation and Upgrade Guide for instructions.

When the installation is completed, go to the next task.

Task 5: Enable the FIPS provider on the Web Help Desk server

Stop Web Help Desk and modify three configuration files to support the new FIPS configuration. When you are finished, start Web Help Desk.

Stop Web Help Desk

  1. In the command prompt window, change the directory to the <WebHelpDesk> directory.
  2. Execute: 

    whd_stop

    Web Help Desk is stopped.

  3. Minimize the command prompt window.

Update the java.security file

  1. Open File Explorer and navigate to:

    <WebHelpDesk>\bin\jre\conf\security

  2. Open the java.security file using a text editor (such as Notepad).
  3. Scroll down to the following comment: 

    #List of providers and their preference orders

  4. In the list of providers, add the following cryptography providers to the top of the list:

    security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
  5. Renumber the preference order so all providers are listed in descending order.

    For example:

    security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
    security.provider.3=SUN
    security.provider.4=SunRsaSign
    security.provider.5=SunEC
    security.provider.6=SunJSSE
    security.provider.7=SunJCE
    security.provider.8=SunJGSS
    security.provider.9=SunSASL
    security.provider.10=XMLDSig
    security.provider.11=SunPCSC
    security.provider.12=JdkLDAp
    security.provider.13=JdkSASL
    security.provider.14=SunMSCAPI
    security.provider.15=SunPKCS11
    
  6. Scroll down to the following comment: 

    #Default keystore type
     keystore.type=pkcs12
  7. Comment out the pkcs12 keystore type and add the following type:

    keystore.type=bcfks

    For example:

    #Default keystore type
    #keystore.type=pkcs12
     keystore.type=bcfks
  8. Scroll down to the following entry:

    ssl.KeyManagerFactory.algorithm=SunX509
  9. Change the entry to the following:

    ssl.KeyManagerFactory.algorithm=PKIX
  10. Save and close the file.

Update the wrapper_template file

  1. Open File Explorer and navigate to:

    C:\Program Files\WebHelpDesk\bin\wrapper\conf

  2. Open the wrapper_template.conf file in a text editor (such as Notepad).
  3. Scroll down to:

    # Java Classpath

  4. Enter the following elements after the last element in the list:

    wrapper.java.classpath.4=../../webapps/helpdesk/WEB-INF/lib/bc-fips.jar
    wrapper.java.classpath.5=../../webapps/helpdesk/WEB-INF/lib/bcpkix-fips.jar
    wrapper.java.classpath.6=../../webapps/helpdesk/WEB-INF/lib/bctls-fips.jar
    
  5. Reorder all elements in descending order.

    For example:

    wrapper.java.classpath.1=../../wrapper/lib/wrapper.jar
    wrapper.java.classpath.2=../../tomcat/bin/bootstrap.jar
    wrapper.java.classpath.3=../../tomcat/bin/tomcat.juli.jar
    wrapper.java.classpath.4=../../webapps/helpdesk/WEB-INF/lib/MDSunicode.jar
    wrapper.java.classpath.5=../../webapps/helpdesk/WEB-INF/lib/bc-fips.jar
    wrapper.java.classpath.6=../../webapps/helpdesk/WEB-INF/lib/bcpkix-fips.jar
    
  6. Scroll down to: 

    # Java Additional Parameters

  7. Add the following parameters to the end of the list:

    wrapper.java.additional.19=-DWHDfips
    wrapper.java.additional.20=-Djavax.net.ssl.keyStore="C:\Program Files\WebHelpDesk\conf\cacerts.bcfks"
    wrapper.java.additional.21=-Djavax.net.ssl.keyStorePassword=changeit
    wrapper.java.additional.22=-Djavax.net.ssl.keyStoreType=BCFKS
    wrapper.java.additional.23=-Djavax.net.ssl.trustStore="C:\Program Files\WebHelpDesk\conf\cacerts.bcfks"
    wrapper.java.additional.24=-Djavax.net.ssl.trustStorePassword=changeit
    wrapper.java.additional.25=-Djavax.net.ssl.trustStoreType=BCFKS
  8. Verify that all elements are numbered in descending order.
  9. (Optional) Update the changeit password in the following elements based on your corporate requirements.

    The password must be identical to the password used when you created the BCKFS keystore.

    wrapper.java.additional.21=-Djavax.net.ssl.keyStorePassword=changeit
    wrapper.java.additional.24=-Djavax.net.ssl.trustStorePassword=changeit
  10. Save and close the file.

Update the tomcat_server_template file

  1. Navigate to:

    C:\Program Files\WebHelpDesk\conf

  2. Open the tomcat_server_template.xml file in a text editor (such as Notepad).
  3. Locate the following comment:

    @@@WEBHELPDESK_SSL_START@@@
  4. Below this comment are two headers with the following name:

    <Connector port="@@@WEBHELPDESK_SSL_PORT@@@" protocol="HTTP/1.1 SSLEnabled="true"
  5. Under the first Connector port section, locate the following elements:

    keystoreFile="@@@WEBHELPDESK_KEYSTORE@@@"
    keystorePass="@@@WEBHELPDESK_KEYSTORE_PASS@@@"
    keystoreType="@@@WEBHELPDESK_KEYSTORE_TYPE@@@"
    
  6. Update the element values as shown below:

    keystoreFile="C:\Program Files\WebHelpDesk\conf\keystore.bcfks"
    keystorePass="changeit"
    keystoreType="BCFKS"
    
  7. In the same section, delete the following cipher entries:

    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256_TLS_RSA_WITH_A
    ES_256_CBC_SHA_TLS_RSA_WITH_AES_128_CBC_SHA_SSL_RSA_WITH_3DES_EDE_CBC_SHA_SSL_RSA_WITH_
    RC4_128_SHA1_SSL_RSA_WITH_RC4_128_MDS_TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
  8. Repeat step 5 through step 7 in the second Connector port section.
  9. Save and close the file.

Start Web Help Desk

  1. In the command prompt window, change the directory to the <WebHelpDesk> directory.
  2. Execute: 

    whd_start

    During startup, the following message displays in the window:

    Web Help Desk is configured to work in FIPS compliant security mode.

  3. After the application starts, close the command prompt window.

Task 6: Complete the installation

  1. (PostgreSQL database only) If prompted to update your PostgreSQL embedded database, click Continue.

    The database updates to 12.7.5.

  2. Enter your e-mail address and password in the Log In window, and then click Log In.

    The Web Help Desk Administrator Console displays.

  3. Click Setup > General > System Information.
  4. In the System Environment page, verify that 12.7.5 displays in the Web Help Desk Version field.

  5. Under General, click Authentication.
  6. In the FIPS Compliant Cryptography field, verify that Enabled displays in the field with a green icon. This indicates that WHD is using cryptographic algorithms that are compliant with the FIPS 140-2 standard.

    If Disabled displays in the field with a red icon, contact Technical Support for assistance.

    The upgrade is completed.

  7. Update your Web Help Desk password to a secure password.

  8. Activate your Web Help Desk license.

Task 7: Set up your SolarWinds Integration and email

If you are using self-signed certificates in your SolarWinds Integration servers, email servers, or primary tools, add these certificates in the Web Help Desk database.

Below is an example for an Orion connection.

  1. Open a Web browser window and navigate to:

    https://ORION_IP_Address:17778/SolarWinds/InformationService/v3/OrionBasic/

  2. Export the certificate into a file in CER format.

    1. Click the lock icon next to the URL address and select Certificate Information > Details > Copy to File.
    2. Follow the prompts in the export wizard, selecting the .der format of the exported certificate.
  3. Open a command prompt window.
  4. Change the directory to:

    <WebHelpDesk>\conf

    For example:

    C:\Program Files\WebHelpDesk\conf

  5. Import the certificate.

    At the prompt, execute:

    keytool -import -trustcacerts -keystore "C:\Program Files\WebHelpDesk\conf\cacerts.bcfks" -storepass changeit -alias orion_cert -file c:\<path_to_exported_ cert>\previously_exported_cert.cer -storetype BCFKS -providerpath "C:\Program Files\WebHelpDesk\bin\webapps\helpdesk\WEB-INF\lib\bc- fips.jar" -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider