FIPS 140-2 support

Federal Information Processing Standard (FIPS) is a set of standards for cryptographic modules. For in-depth information about FIPS, see the National Institute of Standards and Technology (NIST) website. Deep Security provides settings that enable cryptographic modules to run in a mode that is compliant with FIPS 140-2 standards. We have obtained certification for our Java crypto module and Native crypto module (OpenSSL).

There are some differences between a Deep Security deployment running in FIPS mode instead of non-FIPS mode (see Differences when operating Deep Security in FIPS mode).

If you intend to replace the Deep Security Manager SSL certificate, do so before enabling FIPS mode. If you need to replace the certificate after enabling FIPS mode, you will need to disable FIPS mode, follow the instructions in Replace the Deep Security Manager TLS certificate, and then re-enable FIPS mode.

To operate Deep Security in a FIPS 140-2 mode, you will need to:

  1. Review Differences when operating Deep Security in FIPS mode to make sure the Deep Security features you require are available when operating in FIPS 140-2 mode.
  2. Ensure that your Deep Security Manager and Deep Security Agents meet the System requirements for FIPS mode.
  3. Enable FIPS mode for your Deep Security Manager.
  4. If your Deep Security Manager needs to connect to an external service (such as an Active Directory, vCenter, or NSX Manager) using SSL, see Connect to external services when in FIPS mode.
  5. Enable FIPS mode for the operating system of the computers you are protecting.
  6. Enable FIPS mode for the Deep Security Agent on the computers you are protecting
  7. Enable FIPS mode for the Deep Security Virtual Appliance.
  8. With some versions of the Linux kernel, for example, RHEL 7.0 GA, you must enable Secure Boot to enable FIPS mode. See Linux Secure Boot support for agents for instructions.

This section also includes instructions on how to Disable FIPS mode.

Differences when operating Deep Security in FIPS mode

These Deep Security features are not available when operating in FIPS mode:

  • Connecting to virtual machines hosted on VMware vCloud, as described in Add virtual machines hosted on VMware vCloud. The Administration > System Settings > Agents > Agentless vCloud Protection settings are also unavailable.
  • Multi-tenant environment
  • Load balancer settings (Administration > System Settings > Advanced > Load Balancers)
  • Deep Security Scanner (integration with SAP Netweaver)
  • The Connected Threat Defense feature
  • Identity provider support via SAML 2.0
  • When configuring SMTP settings, the STARTTLS option is not available.

System requirements for FIPS mode

Deep Security Manager requirements

The Deep Security Manager requirements with FIPS mode enabled are the same as those described in System requirements, with the following exceptions.

Only these operating systems are supported:

  • Red Hat Enterprise Linux 7 (64bit)
  • Windows Server 2016 (64-bit)
  • Windows Server 2012 or 2012 R2 (64-bit)

Only these databases are supported:

Oracle Database is not supported, even if it has enabled FIPS mode for SSL connections.

Microsoft SQL Server named pipes are not supported.

Deep Security Agent requirements

The Deep Security Agent requirements with FIPS mode enabled are the same as those described in System requirements. FIPS mode is not supported with all operating systems. To check which operating systems are supported, see Supported features by platform.

Deep Security Virtual Appliance requirements

To support FIPS mode on the appliance, you'll need:

  • Deep Security Manager 11.0 Update 3 or later
  • Deep Security Virtual Appliance 10.0, or 11.0 or later
  • Deep Security Agent 11.0 for RedHat_EL7 or later (to be used as the appliance's embedded agent)

For details on the appliance's system requirements, see System requirements.

Enable FIPS mode for your Deep Security Manager

Enable FIPS mode for a Deep Security Manager on Windows

  1. Use the Services window of the Microsoft Management Console to stop the "Trend Micro Deep Security Manager" service.
  2. In the Windows command line, go to the Deep Security Manager's working folder, for example, C:\Program Files\Trend Micro\Deep Security Manager.
  3. Enter this command to enable FIPS mode:
  4. dsm_c -action enablefipsmode

  5. Restart the Deep Security Manager service.

Enable FIPS mode for a Deep Security Manager on Linux

  1. On the Deep Security Manager computer, open a command line and go to the Deep Security Manager's working folder, for example, /opt/dsm.
  2. Enter this command to stop the Deep Security Manager service:

    service dsm_s stop

  3. Enter this command to enable FIPS mode:
  4. dsm_c -action enablefipsmode

  5. Enter this command to restart the Deep Security Manager service:
  6. service dsm_s start

Connect to external services when in FIPS mode

When Deep Security Manager is operating in FIPS mode and you want to connect to an external service (such as an Active Directory, vCenter, or NSX Manager) with an SSL connection, you must import the SSL certificate for that external service into the manager before connecting to it. For instructions on how to import the certificate, see Manage trusted certificates.

For instructions on importing computers from an Active Directory, see Add computer groups from Microsoft Active Directory.

For instructions on synchronizing user information with an Active Directory, see Create and manage users.

For instructions on adding a VMware vCenter to Deep Security Manager, see Add a vCenter - FIPS mode.

Enable FIPS mode for the operating system of the computers you are protecting

For instructions on enabling FIPS mode on Windows, please refer to the Microsoft Support site: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows.

For instructions on enabling FIPS mode on RHEL 7 or CentOS 7, please refer to Red Hat documentation: Federal Standards and Regulations and How can I make RHEL 6 or RHEL 7 FIPS 140-2 compliant.

Enable FIPS mode for the Deep Security Agent on the computers you are protecting

This step is not required for new Deep Security 11.0 or higher agents that you install after enabling FIPS mode in Deep Security Manager. In that situation, FIPS mode is already enabled for the agent.

Enable FIPS mode for a Windows agent

  1. In the Windows system root folder (for example, C:\Windows), look for a file named ds_agent.ini. Open the file in a text editor or create a new file if you don't have one already.
  2. Add this line to the file:

    FIPSMode=1

  3. Restart the Deep Security Agent service.

Enable FIPS mode for an RHEL 7 or CentOS 7 agent

  1. In /etc/), look for a file named ds_agent.conf. Open the file in a text editor or create a new file if you don't have one already.
  2. Add this line to the file:

    FIPSMode=1

  3. Restart the Deep Security Agent:

    Using a SysV init script:

    /etc/init.d/ds_agent restart

    Using a systemd command:

    systemctl restart ds_agent

Enable FIPS mode for the Deep Security Virtual Appliance

  1. In <DSVA_root>/etc/, look for a file named ds_agent.conf. Open the file in a text editor or create a new file if you don't have one already.
  2. Add this line to the file:

    FIPSMode=1

  3. Restart the appliance from the command line:

    Using a SysV init script:

    /etc/init.d/ds_agent restart

    Using a systemd command:

    systemctl restart ds_agent

Using FIPS mode with a PostgreSQL database

If you are using PostgreSQL as your Deep Security Manager database, there are some extra requirements in addition to those outlined in Prepare a database for Deep Security Manager.

In FIPS mode, the keystore must be the BCFKS type. Instead of converting the java default keystore (C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts or /opt/dsm/jre/lib/security/cacerts) directly, copy the default keystore to another location and use it as the default keystore for SSL connection.

  1. Create the PostgreSQL environment
  2. Copy the "server.crt" file from the PostgreSQL server and paste them into <Deep Security Manager install folder>.
  3. Install Deep Security Manager.
  4. Enable FIPS mode for your Deep Security Manager.
  5. Copy the default Java cacerts file into the Deep Security Manager root installation folder.

    On Windows:

    copy "C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts" "C:\Program Files\Trend Micro\Deep Security Manager\cacerts"

    On Linux:

    cp "/opt/dsm/jre/lib/security/cacerts" "/opt/dsm/cacerts"

  6. Convert the keystore file from JKS to BCFKS. The following command will create a cacerts.bcfks file in the Deep Security Manager installation folder:

    On Windows:

    cd C:\Program Files\Trend Micro\Deep Security Manager\jre\bin

    keytool -importkeystore -srckeystore "C:\Program Files\Trend Micro\Deep Security Manager\cacerts" -srcstoretype JKS -deststoretype BCFKS -destkeystore "C:\Program Files\Trend Micro\Deep Security Manager\cacerts.bcfks" -srcstorepass <changeit> -deststorepass <changeit> -providerpath "C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\ext\ccj-3.0.0.jar" -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider

    where <changeit> is replaced with your own values.

    On Linux:

    cd /opt/dsm/jre/bin

    keytool -importkeystore -srckeystore "/opt/dsm/cacerts" -srcstoretype JKS -deststoretype BCFKS -destkeystore "/opt/dsm/cacerts.bcfks" -srcstorepass <changeit> -deststorepass <changeit> -providerpath "/opt/dsm/jre/lib/ext/ccj-3.0.0.jar" -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider

    where <changeit> is replaced with your own values.

  7. Import the certificate ("Deep Security Manager root folder/server.crt"):

    On Windows:

    cd C:\Program Files\Trend Micro\Deep Security Manager\jre\bin

    keytool -import -alias psql -file "C:\Program Files\Trend Micro\Deep Security Manager\server.crt" -keystore "C:\Program Files\Trend Micro\Deep Security Manager\cacerts.bcfks" -storepass <changeit> -provider com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -providerpath "C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\ext\ccj-3.0.0.jar" -storetype BCFKS

    where <changeit> is replaced with your own value.

    On Linux:

    cd /opt/dsm/jre/bin

    keytool -import -alias psql -file "/opt/dsm/server.crt" -keystore "/opt/dsm/cacerts.bcfks" -storepass <changeit> -provider com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -providerpath "/opt/dsm/jre/lib/ext/ccj-3.0.0.jar" -storetype BCFKS

    where <changeit> is replaced with your own value.

  8. The Deep Security installer can use a .vmoptions file to assign the JVM parameter:

    On Windows, create a file named Deep Security Manager.vmoptions in the installation folder and add the following text in the file:

    Ensure that the file extension is .vmoptions.

    -Djavax.net.ssl.keyStoreProvider=CCJ

    -Djavax.net.ssl.trustStore=C:\Program Files\Trend Micro\Deep Security Manager\cacerts.bcfks

    -Djavax.net.ssl.trustStorePassword=<changeit>

    -Djavax.net.ssl.keyStoreType=BCFKS

    -Djavax.net.ssl.trustStoreType=BCFKS

    where <changeit> is replaced with your own value.

    On Linux, create a file named dsm_s.vmoptions in the installation folder and add the following text in the file:

    -Djavax.net.ssl.keyStoreProvider=CCJ

    -Djavax.net.ssl.trustStore=/opt/dsm/cacerts.bcfks

    -Djavax.net.ssl.trustStorePassword=<changeit>

    -Djavax.net.ssl.keyStoreType=BCFKS

    -Djavax.net.ssl.trustStoreType=BCFKS

    where <changeit> is replaced with your own value.

  9. Open the <Deep Security Manager directory>\webclient\webapps\ROOT\WEB-INF\dsm.properties file in a text editor and add:

    database.PostgreSQL.connectionParameters=ssl\=true

  10. Open the /opt/postgresql/data/postgresql.conf file in a text editor and add:

    ssl= on

    ssl_cert_file= 'server.crt'

    ssl_ksy_file= 'server.key'

  11. Restart PostgreSQL and then restart the Deep Security Manager service.
  12. Check the connection:

    cd /opt/postgresql/bin

    ./psql -h 127.0.0.1 -Udsm dsm

    Enter the password when prompted. You should see:

    dsm=> select a.client_addr, a.application_name, a.usename, s.* from pg_stat_ssl s join pg_stat_activity a using (pid) where a.datname='dsm';

Using FIPS mode with a Microsoft SQL Server database

If you are using Microsoft SQL Server as your Deep Security Manager database, you must set up the database SSL encryption using the instructions below before enabling FIPS mode.

  1. Stop the Deep Security Manager service.
  2. Create a BCFKS keystore file with the SQL server certificate. You can use the keytool in C:\Program Files\Trend Micro\Deep Security Manager\jre\bin.
  3. Use the following command to import the SQL server certificate (C:\sqlserver_cert.cer) to a new keystore file (C:\Program Files\Trend Micro\Deep Security Manager\mssql_keystore.bcfks):
    If the Deep Security Manager package doesn't contain a ccj-3.0.0.jar file, get the jar file from the FIPS page.

    keytool -import -alias mssql -file "C:\sqlserver_cert.cer" -keystore "C:\Program Files\Trend Micro\Deep Security Manager\mssql_keystore.bcfks" -storepass <changeit> -provider com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -providerpath "C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\ext\ccj-3.0.0.jar" -storetype BCFKS

    where <changeit> is replaced with your own value.

    During the import process, answer "YES" to trust this certificate.

  4. If the keystore file is created successfully, you will be able to use the following command to list see the certificate listed in the keystore:

    keytool -list -v -keystore "C:\Program Files\Trend Micro\Deep Security Manager\mssql_keystore.bcfks" -provider com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -providerpath "C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\ext\ccj-3.0.0.jar" -storetype BCFKS -storepass <changeit>

    where <changeit> is replaced with your own value.

  5. Open the C:\Program Files\Trend Micro\Deep Security Manager\webclient\webapps\ROOT\WEB-INF\dsm.properties file in a text editor and add the following lines enable SSL/TLS and FIPS settings:

    database.SqlServer.encrypt=true

    database.SqlServer.trustServerCertificate=false

    database.SqlServer.fips=true

    database.SqlServer.trustStorePassword=<changeit>

    database.SqlServer.fipsProvider=CCJ

    database.SqlServer.trustStoreType=BCFKS

    database.SqlServer.trustStore=C\:\\Program Files\\Trend Micro\\Deep Security Manager\\mssql_keystore.bcfks

    where <changeit> is replaced with your own value.

  6. Optionally, you can also change the SQL server/client connection protocols from Named Pipes to TCP/IP. This will allow for FIPS support after upgrading to Deep Security 10.2:
    1. In the SQL Server Configuration Manager, go to SQL Network Configuration > Protocols for MSSQLSERVER and enable TCP/IP.
    2. Go to SQL Native Client 11.0 Configuration > Client Protocols and enable TCP/IP.
    3. Follow the instruction provided by Microsoft to enable encrypted connections for an instance of the SQL Server database. See Enable Encrypted Connections to the Database Engine.
    4. Edit the dsm.properties file to change database.sqldserver. driver=MSJDBC and database.SqlServer.namedPipe=false.
  7. Restart the Deep Security Manager service.
  8. Enable FIPS mode for your Deep Security Manager.

Disable FIPS mode

  1. To disable FIPS mode for the Deep Security Manager, follow the instructions that you used to enable it (see Enable FIPS mode for your Deep Security Manager), but use this command in place of step 3:

    dsm_c -action disablefipsmode

  2. To disable FIPS mode for the Deep Security Agent, follow the instructions that you used to enable it (see Enable FIPS mode for the Deep Security Agent on the computers you are protecting), but instead of FIPSMode=1, use FIPSMode=0.