FIPS Compliance
What is FIPS?
Federal Information Processing Standards (FIPS) is established by the US government to enhance the security posture of organizations.
It provides guidelines and best practices for securing data, employing strong cryptographic methods, and implementing key management systems.
FIPS compliance is required for all US federal agencies and contractors handling sensitive information, as it helps mitigate potential security vulnerabilities and defend against cyber threats.
AssetExplorer and FIPS Compliance
AssetExplorer operates in FIPS mode to comply with US government standards. Enabling FIPS mode ensures that AssetExplorer is FIPS 140-2 compliant and uses only FIPS-validated algorithms.
AssetExplorer's FIPS compliance is self-claimed. We use FIPS-validated packages and employ FIPS-approved algorithms to meet the necessary security measures.
Changes in AssetExplorer when FIPS Mode is Enabled
- Secure Communications: Enabling FIPS compliance will disable HTTP support in AssetExplorer and enforce HTTPS. This ensures that data transfers between any client and AssetExplorer occur over a secure and encrypted channel.
- FIPS-Compliant Checksum/Hashing Algorithms: All checksum validation algorithms in AssetExplorer will be performed by FIPS standards. MD5 and SHA-1 hashing algorithms, which are not FIPS compliant, will be restricted.
- Restriction on PKCS12 Certificates: AssetExplorer will no longer support PKCS12 (PFX) certificates. Users should employ alternative certificate formats that comply with FIPS security guidelines. This restriction ensures that certificate operations align with the required security protocols.
- SAML Algorithm Changes: If SAML was being used before AssetExplorer version 7540, switching to FIPS mode will change the Service Provider's certificate algorithm. This will affect SAML login (if response signing is enabled for IdP) and logout (if single logout is configured). After enabling FIPS mode, the new certificate will be saved in <server_home>/conf/SamlCertUpgrade/sdp_public_new.cer. This certificate must be uploaded to your Identity Provider to restore SAML functionalities.
If the user has configured a PFX certificate in the application, it will be automatically converted into a JKS keystore file during FIPS configuration.
Steps to Enable FIPS Compliance in AssetExplorer
Enable FIPS compliance only if it is required for your organization.
Ensure that you start and stop the application before enabling FIPS mode. Additionally, take a backup of the application before configuring FIPS.
Refer to the following steps to configure FIPS:
- For Windows, open the command prompt in the <server_installed_directory>\bin folder with admin privileges. For Linux, open the terminal.
- Execute the ConfigureFIPSMode.bat file for Windows or sh ConfigureFIPSMode.sh for Linux. Refer here for troubleshooting.
- Start the server.
Prerequisites to Enable FIPS Compliance in AssetExplorer
- Supported Versions: FIPS compliance mode is only supported in AssetExplorer versions 7540 or above. Click here to learn how to migrate to the supported build.
- LDAP SSL Configuration for AD Domains: Ensure LDAP connections use SSL. You can modify LDAP SSL settings for existing Active Directory domains in AssetExplorer, under Active Directory > Import User(s) from Active Directory and/or LDAP in ESM Directory or Admin settings.
- HTTPS Protocol for Integrations: Ensure all integrations in AssetExplorer use HTTPS. If any integrations were previously configured with HTTP, they must be re-configured using HTTPS to ensure secure communication.
- UEM Integrations: Update existing UEM application integrated with AssetExplorer to version 11.3.2410.01 or above. For more details, visit ManageEngine Endpoint Central.
- Remote Server Configurations: All remote servers connected to the central server must be configured for FIPS mode to ensure secure communication between all servers. Follow these steps to configure FIPS mode on all remote servers.
- SQL Server Prerequisites: Use SQL Server version 2016 or higher. It is recommended that FIPS mode be activated in the SQL server. Refer to these steps to configure the SQL server with SSL before configuring FIPS compliance in AssetExplorer.
- Postgres Password: The Postgres user password should contain more than 15 characters. Follow these steps to retrieve your Postgres password. Update the Postgres password using these instructions.
Limitations of FIPS Compliance in AssetExplorer
- AssetExplorer does not support FIPS mode during a cold start. Start and stop the application at least once with the database populated to activate FIPS mode.
- External PgSQL is not supported in FIPS mode. Only the bundled PgSQL and SQL servers with SSL are compatible.
- All integrations and outgoing connections (e.g., mail, LDAP, AD, custom functions) from the AssetExplorer application server must be configured securely (HTTPS, SMTPS, LDAPS) by the SDAdmin to comply with FIPS requirements.
- Although MD5 and Bcrypt are FIPS non-compliant, AssetExplorer uses them for first-time user logins after FIPS mode is enabled.
Error Messages during FIPS Configuration
Error/Warning | Solution | Troubleshooting |
FIPS configuration script failed to execute. FIPS is not supported for SQL servers without SSL. | Enable SSL in SQL Server and perform the FIPS configuration. | Follow these steps to enable SSL. |
FIPS configuration script failed to execute. AssetExplorer is not running in HTTPS mode. | Enable HTTPS in AssetExplorer and perform the FIPS configuration. | FIPS mode does not support HTTP. Refer here to change to HTTPS. |
FIPS is not supported in cold start. | Start and stop the application once before running the FIPS script. | - |
PKIX path building failed due to an untrusted certificate. | Kindly install a valid SSL certificate in the database or manually add the untrusted certificate to the application's truststore. Learn more. | Follow the steps mentioned in this documentation to add an untrusted certificate to the application's truststore. |
Failed to validate the server name in SSL handshake. | Kindly configure a hostname that is compliant with the subject alternative name of the SSL certificate presented by the database server. | The Subject Alternative Name (SAN) in the SSL certificate configured for the SQL server must match the hostname used to connect to the SQL Server. If the SAN does not match, you can either regenerate the certificate and reconfigure it in SQL Server or add a DNS entry that complies with the SAN. |
FIPS is not supported with External PostgreSQL. | Please migrate the application database to SQL Server or bundled PostgreSQL for FIPS mode. | Refer to this documentation to configure MSSQL or bundled PGSQL. Refer here to migrate existing data. |
FIPS configuration script executed successfully but could not update run.bat/run.sh file to include FIPS jars. | Please update the run.bat/run.sh file to include FIPS jars manually. | Contact our support team for more details. |
UEM service Integrated is not compatible. | Your UEM is outdated. To configure FIPS, please update to 11.3.2410.01 (EXE NL build that supports user activation and new algorithm) or above. | To upgrade the UEM version, refer to this link. |
Remote server is connected with the central server. Please configure FIPS for remote servers. | FIPS might not be configured in the remote server. | Follow these steps to configure FIPS mode on all remote servers. |
SAML Service Provider certificate algorithm has been updated. SAML login/logout functionality may be affected. | Upload the certificate from <path/to/cert/> to your Identity Provider to restore SAML functionality. | If you are unsure where to download and upload the certificate, refer to this documentation. |
Postgres database password for user sdpadmin is less than 16 characters. | Update the password to be more than or equal to 16 characters using changeDBPassword to make it FIPS compatible and run the script again. | Follow these steps to retrieve your Postgres password. Change the Postgres password using these pointers. |
Cold Start was not completed successfully, so the FIPS script cannot be executed. | Please reinitialize the application and run the FIPS script. | Restart the application. If the FIPs script fails again, contact support. |
Migration invoked/failed and so FIPS script cannot be executed. | Migration Invoked/Failed, and so FIPS script cannot be executed. | Contact our support team for more details. |
Application is currently running so FIPS mode cannot be executed. | Please stop the application and run the FIPS script. | Refer here to shut down the server. |
For issues or queries related to FIPS compliance in AssetExplorer, please reach out to our support team.
Related Articles
Introduction - Software
AssetExplorer helps monitor all software in the organization, reducing costs, eliminating security threats, and optimizing software usage. Role Required: SDAdmin, Technicians with View Assets permission. In AssetExplorer, you can manage all software ...Software Type
Software Type classifies software applications that are owned and managed within AssetExplorer. The default software types available are as follows: Software Type Explanation Freeware Software provided without charge Shareware Free software ...General Scan Settings
Role Required: SDAdmin To access general scan settings, go to Admin > Discovery > Scan Settings > General. Configure Invalid Service Tags If the service tags are incorrectly configured by the OEM, different machines may have the same service tag and ...Introduction
AssetExplorer from ManageEngine provides end-to-end asset management for organizations. You can use AssetExplorer to manage assets throughout their lifecycle, from procurement to disposal. AssetExplorer provides a single, unified view of all the ...Asset Summary
Obtain a bird's eye view of the Assets module. Go to Assets. On the left navigation pane, select Summary. An overview of the assets will be displayed in the following widgets. Click the number beside a row to view the list of assets/workstations ...