FIPS 140 support

Federal Information Processing Standard (FIPS) is a set of standards for cryptographic modules. For more information, see the National Institute of Standards and Technology (NIST) website. Deep Security provides settings that enable cryptographic modules to run in a mode that is compliant with FIPS 140 standards. Trend Micro obtained certification for Java crypto module and Native crypto module (OpenSSL).

Currently, Deep Security supports FIPS 140-2 standards. As new versions of FIPS-140 are released, Trend Micro will obtain certification to support those standards.

There is a number of differences between a Deep Security deployment running in FIPS mode instead of non-FIPS mode. For more information, see Differences when operating Deep Security in FIPS mode.

If you intend to replace the Deep Security Manager SSL certificate, do so before enabling FIPS mode. If you need to replace the certificate after enabling FIPS mode, you need to disable FIPS mode, then follow the instructions provided in Replace the Deep Security Manager TLS certificate, and then re-enable FIPS mode.

To operate Deep Security in a FIPS 140 mode, do the following:

  1. Review Differences when operating Deep Security in FIPS mode to make sure the Deep Security features you require are available when operating in FIPS 140 mode.
  2. Ensure that your Deep Security Manager and Deep Security Agents meet the System requirements for FIPS mode.
  3. Enable FIPS mode for your Deep Security Manager.
  4. If your Deep Security Manager needs to connect to an external service (such as an Active Directory, vCenter, or NSX Manager) using SSL, see Connect to external services when in FIPS mode.
  5. Enable FIPS mode for the operating system of the computers you are protecting.
  6. Enable FIPS mode for the Deep Security Agent on the computers you are protecting
  7. Enable FIPS mode for Deep Security Virtual Appliance.
  8. With some versions of the Linux kernel, such as, for example, Red Hat Enterprise Linux (RHEL) 7.0 GA, you must enable Secure Boot to enable FIPS mode. See Configure Linux Secure Boot for agents for instructions.

You can also Disable FIPS mode.

Differences when operating Deep Security in FIPS mode

Features available in FIPS mode

The following features are available for Deep Security Manager 20.0.619 (20 LTS Update 2022-03-22) and later:

  • Load balancer settings, accessible via Administration > System Settings > Advanced > Load Balancers.
  • The STARTTLS option, accessible via Administration > System Settings > SMTP.

The following Deep Security features are not available when operating in FIPS mode:

  • Connecting to virtual machines hosted on VMware vCloud, as described in Add virtual machines hosted on VMware vCloud. The Administration > System Settings > Agents > Agentless vCloud Protection settings are also unavailable.
  • Multi-tenant environment.
  • Deep Security Scanner (integration with SAP Netweaver).
  • Threat Intelligence.

Check if FIPS mode is enabled

To see if FIPS mode is enabled on the Deep Security Manager, go to Administration > System Information. Under System Details, expand a Manager Node. The FIPS field indicates if FIPS mode is enabled or disabled.

When FIPS is enabled for Deep Security Manager deployed on multiple nodes, all Manager Nodes should show FIPS enabled.

System requirements for FIPS mode

Deep Security Manager requirements

The Deep Security Manager requirements with FIPS mode enabled are identical to those described in System requirements, with a number of exceptions.

Only the following operating systems are supported:

  • Red Hat Enterprise Linux 9 (64-bit)
  • Red Hat Enterprise Linux 8 (64-bit)
  • Red Hat Enterprise Linux 7 (64-bit)
  • Ubuntu 22.04 (64-bit)
  • Windows Server 2019 (64-bit)
  • Windows Server 2016 (64-bit)
  • Windows Server 2012 or 2012 R2 (64-bit)

Only the following databases are supported:

Oracle Database is not supported, even if it has enabled FIPS mode for SSL connections.

Microsoft SQL Server named pipes are not supported.

AWS Marketplace does not support FIPS mode.

Deep Security Agent requirements

The Deep Security Agent requirements with FIPS mode enabled are identical to those described in System requirements. FIPS mode is not supported with all operating systems. To check which operating systems are supported, see Supported features by platform.

Deep Security Virtual Appliance requirements

To support FIPS mode on the appliance, you need the following:

  • Deep Security Manager 11.0 Update 3 or later.
  • Deep Security Virtual Appliance 10.0, or 11.0 or later.
  • Deep Security Agent 11.0 for RHEL 7 or later (to be used as the appliance's embedded agent).

For details on the appliance's system requirements, see System requirements.

Enable FIPS mode for your Deep Security Manager

Enable FIPS mode for a Deep Security Manager on Windows

  1. Use the Services window of the Microsoft Management Console to stop the Trend Micro Deep Security Manager service.
  2. In the Windows command line, go to the Deep Security Manager's working folder. For example, C:\Program Files\Trend Micro\Deep Security Manager.
  3. Enter the following command to enable FIPS mode:
  4. dsm_c -action enablefipsmode

  5. Restart the Deep Security Manager service.

Enable FIPS mode for a Deep Security Manager on Linux

  1. On the Deep Security Manager computer, open a command line and go to the Deep Security Manager's working folder, for example, /opt/dsm.
  2. Enter the following command to stop the Deep Security Manager service:

    service dsm_s stop

  3. Enter the following command to enable FIPS mode:
  4. dsm_c -action enablefipsmode

  5. Enter the following command to restart the Deep Security Manager service:
  6. service dsm_s start

Connect to external services when in FIPS mode

When Deep Security Manager is operating in FIPS mode and you want to connect to an external service (such as an Active Directory, vCenter, or NSX Manager) with an SSL connection, you must import the SSL certificate for that external service into the manager before connecting to it. For instructions on how to import the certificate, see Manage trusted certificates.

For instructions on importing computers from an Active Directory, see Add Active Directory computers.

For instructions on synchronizing user information with an Active Directory, see Add and manage users.

For instructions on adding a VMware vCenter to Deep Security Manager, see Add a vCenter - FIPS mode.

Enable FIPS mode for the operating system of the computers you are protecting

For instructions on enabling FIPS mode for supported operating systems, refer to the following documents from the operating system providers:

Enable FIPS mode for the Deep Security Agent on the computers you are protecting

The following information is not applicable to new Deep Security 11.0 or later agents that you install after enabling FIPS mode in Deep Security Manager. In these versions, FIPS mode is already enabled for the agent.

Enable FIPS mode for a Windows agent

  1. In the Windows system root folder (for example, C:\Windows), look for a file named ds_agent.ini. Open the existing file in a text editor or create a new file.
  2. Add the following line to the file:

    FIPSMode=1

  3. Restart the Deep Security Agent service.

Enable FIPS mode for Linux agents

The following Linux agents are supported: RHEL 7, RHEL 8, RHEL 9, CentOS 7, Amazon Linux 2, Ubuntu 18, Ubuntu 20, SUSE 12, SUSE 15, Oracle 8, Rocky 9, Miracle 8, Miracle 9, Debian Linux 10, and Debian Linux 11.

  1. In /etc/, look for a file named ds_agent.conf. Open the file in a text editor or create a new file if you do not have one already.
  2. Add the following line to the file:

    FIPSMode=1

  3. Restart the Deep Security Agent:

    Using a SysV init script: /etc/init.d/ds_agent restart

    Using a systemd command: systemctl restart ds_agent

For more information about enabling FIPS mode on Ubuntu 18 or Ubuntu 20, see FIPS for Ubuntu.

Enable FIPS mode for Deep Security Virtual Appliance

  1. In <DSVA_root>/etc/, look for a file named ds_agent.conf. Open the existing file in a text editor or create a new file.
  2. Add the following line to the file:

    FIPSMode=1

  3. Restart the appliance from the command line:

    Using a SysV init script: /etc/init.d/ds_agent restart

    Using a systemd command: systemctl restart ds_agent

Using FIPS mode with a PostgreSQL database

If you are using PostgreSQL as your Deep Security Manager database, there is a number of requirements in addition to those outlined in Database requirements.

In FIPS mode, the keystore must be the BCFKS type. Instead of converting the Java default keystore (C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts or /opt/dsm/jre/lib/security/cacerts) directly, copy the default keystore to another location and use it as the default keystore for SSL connection:

  1. Create the PostgreSQL environment.
  2. Copy the server.crt file from the PostgreSQL server and paste them into <Deep_Security_Manager_install_folder>.
  3. Install Deep Security Manager.
  4. Enable FIPS mode for your Deep Security Manager.
  5. Copy the default Java cacerts file into the Deep Security Manager root installation folder:

    On Windows:

    copy "C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts" "C:\Program Files\Trend Micro\Deep Security Manager\cacerts"

    On Linux:

    cp "/opt/dsm/jre/lib/security/cacerts" "/opt/dsm/cacerts"

  6. Convert the keystore file from JKS to BCFKS. The following command creates a cacerts.bcfks file in the Deep Security Manager installation folder:

    On Windows:

    cd C:\Program Files\Trend Micro\Deep Security Manager\jre\scripts

    keytool_fips.cmd -importkeystore -srckeystore "C:\Program Files\Trend Micro\Deep Security Manager\cacerts" -srcstoretype JKS -deststoretype BCFKS -destkeystore "C:\Program Files\Trend Micro\Deep Security Manager\cacerts.bcfks" -srcstorepass <changeit> -deststorepass <changeit>

    where <changeit> is replaced with your own values.

    On Linux:

    cd /opt/dsm/jre/scripts

    keytool_fips.sh -importkeystore -srckeystore "/opt/dsm/cacerts" -srcstoretype JKS -deststoretype BCFKS -destkeystore "/opt/dsm/cacerts.bcfks" -srcstorepass <changeit> -deststorepass <changeit>

    where <changeit> is replaced with your own values.

  7. Import the certificate "Deep_Security_Manager_root_folder/server.crt":

    On Windows:

    cd C:\Program Files\Trend Micro\Deep Security Manager\jre\scripts

    keytool_fips.cmd -import -alias psql -file "C:\Program Files\Trend Micro\Deep Security Manager\server.crt" -keystore "C:\Program Files\Trend Micro\Deep Security Manager\cacerts.bcfks" -storepass <changeit> -storetype BCFKS

    where <changeit> is replaced with your own value.

    On Linux:

    cd /opt/dsm/jre/scripts

    keytool_fips.sh -import -alias psql -file "/opt/dsm/server.crt" -keystore "/opt/dsm/cacerts.bcfks" -storepass <changeit> -storetype BCFKS

    where <changeit> is replaced with your own value.

  8. The Deep Security installer must use a .vmoptions file to assign the JVM parameter:

    On Windows, create a file named Deep Security Manager.vmoptions in the installation folder and add the following text in the file:

    -Djavax.net.ssl.keyStoreProvider=BCFIPS

    -Djavax.net.ssl.trustStore=C:\Program Files\Trend Micro\Deep Security Manager\cacerts.bcfks

    -Djavax.net.ssl.trustStorePassword=<changeit>

    -Djavax.net.ssl.keyStoreType=BCFKS

    -Djavax.net.ssl.trustStoreType=BCFKS

    where <changeit> is replaced with your own value.

    On Linux, create a file named dsm_s.vmoptions in the installation folder and add the following text in the file:

    -Djavax.net.ssl.keyStoreProvider=BCFIPS

    -Djavax.net.ssl.trustStore=/opt/dsm/cacerts.bcfks

    -Djavax.net.ssl.trustStorePassword=<changeit>

    -Djavax.net.ssl.keyStoreType=BCFKS

    -Djavax.net.ssl.trustStoreType=BCFKS

    where <changeit> is replaced with your own value.

  9. Open the <Deep Security Manager directory>\webclient\webapps\ROOT\WEB-INF\dsm.properties file in a text editor and add:

    On Windows:

    database.PostgreSQL.connectionParameters=sslmode=verify-ca&sslcert=C\:\\Program Files\\Trend Micro\\Deep Security Manager\\server.crt

    On Linux:

    database.PostgreSQL.connectionParameters=sslmode=verify-ca&sslcert=/opt/dsm/server.crt

  10. Open the /opt/postgresql/data/postgresql.conf file in a text editor and add the following:

    ssl= on

    ssl_cert_file= 'server.crt'

    ssl_ksy_file= 'server.key'

  11. Restart PostgreSQL, and then restart the Deep Security Manager service.
  12. Check the connection, as follows:

    cd /opt/postgresql/bin

    ./psql -h 127.0.0.1 -Udsm dsm

    Enter the password when prompted. You should see the following:

    dsm=> select a.client_addr, a.application_name, a.usename, s.* from pg_stat_ssl s join pg_stat_activity a using (pid) where a.datname='dsm';

Using FIPS mode with a Microsoft SQL Server database

If you are using Microsoft SQL Server as your Deep Security Manager database, you must set up the database SSL encryption using the following instructions before enabling FIPS mode:

  1. Stop the Deep Security Manager service.
  2. Create a BCFKS keystore file with the SQL server certificate. You can use the keytool_fips.cmd in C:\Program Files\Trend Micro\Deep Security Manager\jre\scripts.
  3. Use the following command to import the SQL server certificate C:\sqlserver_cert.cer to a new keystore file C:\Program Files\Trend Micro\Deep Security Manager\mssql_keystore.bcfks:

    keytool_fips.cmd -import -alias mssql -file "C:\sqlserver_cert.cer" -keystore "C:\Program Files\Trend Micro\Deep Security Manager\mssql_keystore.bcfks" -storepass <changeit> -storetype BCFKS

    where <changeit> is replaced with your own value.

    Both keytool_fips.cmd and keytool_fips.sh files are only available in DSM 20.0.970 or later version. If these files are not included in your DSM installation, contact Trend Micro support.

    During the import process, answer YES to trust this certificate.

  4. If the keystore file is created successfully, you can use the following command to see the certificate listed in the keystore:

    keytool_fips.cmd -list -v -keystore "C:\Program Files\Trend Micro\Deep Security Manager\mssql_keystore.bcfks" -storetype BCFKS -storepass <changeit>

    where <changeit> is replaced with your own value.

  5. Open the C:\Program Files\Trend Micro\Deep Security Manager\webclient\webapps\ROOT\WEB-INF\dsm.properties file in a text editor and add the following lines enable SSL/TLS and FIPS settings:

    database.SqlServer.encrypt=true

    database.SqlServer.trustServerCertificate=false

    database.SqlServer.fips=true

    database.SqlServer.trustStorePassword=<changeit>

    database.SqlServer.fipsProvider=BCFIPS

    database.SqlServer.trustStoreType=BCFKS

    database.SqlServer.trustStore=C\:\\Program Files\\Trend Micro\\Deep Security Manager\\mssql_keystore.bcfks

    where <changeit> is replaced with your own value.

  6. Optionally, you can change the SQL server and client connection protocols from Named Pipes to TCP/IP. This allows for FIPS support:
    1. In the SQL Server Configuration Manager, go to SQL Network Configuration > Protocols for MSSQLSERVER and enable TCP/IP.
    2. Go to SQL Native Client 11.0 Configuration > Client Protocols and enable TCP/IP.
    3. Follow the instruction provided by Microsoft to enable encrypted connections for an instance of the SQL Server database. See Enable Encrypted Connections to the Database Engine.
    4. Edit the dsm.properties file to change database.sqldserver. driver=MSJDBC and database.SqlServer.namedPipe=false.
  7. Restart the Deep Security Manager service.
  8. Enable FIPS mode for your Deep Security Manager.

Disable FIPS mode

  1. To disable FIPS mode for Deep Security Manager, follow the instructions that you used to enable it (see Enable FIPS mode for your Deep Security Manager), but use the following command instead of step 3:

    dsm_c -action disablefipsmode

  2. To disable FIPS mode for Deep Security Agent, follow the instructions that you used to enable it (see Enable FIPS mode for the Deep Security Agent on the computers you are protecting), but instead of FIPSMode=1, use FIPSMode=0.