Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Web Help Desk (WHD) > Web Help Desk Administrator Guide > Enable FIPS > Enable FIPS in a new deployment

Enable FIPS in a new deployment

Created by Steve.Hawkins, last modified by Anthony.Rinaldi_ret on Jul 18, 2016

Views: 92 Votes: 0 Revisions: 4

If you are installing Web Help Desk for the first time in a new deployment, all cryptographic modules incorporated in Web Help Desk 12.4.0 are FIPS 140-2 compliant.

Deployment checklist

Use the following checklist to guide you through the deployment procedures.

  • 1. Review the requirements to ensure your current deployment will support FIPS 140-2 compliant cryptography.

     

  • 2. Download Web Help Desk 12.4.0 from the Customer Portal.

     

  • 3. Install Web Help Desk in your deployment.

     

  • 4. Install Visual C++ Redistributable Packages for Visual Studio 2013 in your deployment.

    This software is included with your Web Help Desk installation package.

     

  • 5. Update the Environment Variables Path setting in your Windows Server operating system.

     

  • 6. Enable FIPS mode on your Apache Tomcat server.
    • Stop Web Help Desk.
    • Install the preconfigured Web Help Desk files for FIPS deployment.
    • Edit the etc\hosts file.
    • Edit the whd.conf file.

    If you are installing Web Help Desk in the default <WebHelpDesk> directory, go to step 7.

    If you are installing Web Help Desk in a separate directory:

    • Edit the tomcat_server_template.xml file.
    • Edit the java.security file.
    • Edit the pkcs11_nss.cfg file.

     

  • 7. Create a Web Help Desk server certificate by obtaining a signed certificate by a trusted CA or creating and using a self-signed certificate.

     

  • 8. Complete the final installation steps.

     

  • 9. Set up your SolarWinds Integration and email. If you are using self-signed certificates on the SolarWinds Integration servers or email servers, add these certificates into the Web Help Desk NSS database.

1. Review the requirements

Ensure that your Web Help Desk deployment meets all component requirements for enabling FIPS 140-2 compliant cryptography.

2. Download Web Help Desk 12.4.0

You can download Web Help Desk from the Customer Portal. This version includes

  • NSS binaries
  • An empty NSS database in FIPS mode
  • A security provider configuration file

The NSS-related files are stored in your <WebHelpDesk> home directory.

3. Install Web Help Desk in your deployment

After you complete the installation steps, a window opens in your default web browser, prompting you to select a database type. Do not select any database type. Minimize the browser window and go to step 5.

You will continue the Getting Started Wizard in a later step.

4. Install Visual C++ Redistributable Packages for Visual Studio 2013

This software is included with your Web Help Desk 12.4.0 installation package.

When you execute the installer, it installs the runtime components required to run C++ applications in Visual Studio 2013 for a 64-bit environment.

  1. Navigate to your <WebHelpDesk> directory,
  2. Launch the vcredist_64.exe file.
  3. Follow the prompts in the wizard to install the software.

5. Update the Environment Variables Path setting in your Windows Server operating system

The following procedure describes how to edit the Environment Variables settings in your Windows Server operating system. When completed, you can run Web Help Desk commands in a command prompt without having to change directories in the prompt.

See the Microsoft TechNet website for information about locating the Environment Variables properties in your operating system

  1. Press <Windows> + <Pause>.
  2. Click Advanced System Settings.
  3. Click the Advanced tab.
  4. Click Environment Variables.
  5. Under System Variables, select the PATH variable.
  6. Update the PATH string with the following path to your nss-x64 library:

    <WebHelpDesk>\bin\nss-x64\lib\;

    where <WebHelpDesk> is the path to your Web Help Desk directory.

    Below is an example of the system PATH variable.

    %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\110\DTS\Binn\;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\;C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn\

    When you append the path with your nss-x64 library path, the path displays as follows:

    C:\Program Files\WebHelpDesk\bin\nss-x64\lib\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\110\DTS\Binn\;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\;C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn\

6. Enable FIPS mode on your Apache Tomcat server

In the following procedures, <WebHelpDesk> represents the Web Help Desk home folder on your system. For example: c:\Program Files\WebHelpDesk.

Stop Web Help Desk

  1. Navigate to the <WebHelpDesk> directory.
  2. Double-click whd_stop.bat.

    Web Help Desk is stopped.

Install the preconfigured Web Help Desk files for FIPS deployment

When completed, you can use the drag and drop feature for FIPS configuration.

  1. Navigate to the following directory:

    <WebHelpDesk>\conf\additional\fips-140-2\WebHelpDesk - clean install

  2. Copy all files, including the \bin and \conf directories.
  3. Navigate to the <WebHelpDesk> directory.
  4. Paste your copied files into the directory, overwriting all existing files.

    If you are prompted to copy the tomcat_server_template.xml file, choose the copy and replace option.

Edit the etc\hosts file

Edit the hosts file to allow the local domain to be resolved correctly.

  1. Determine if you want to define a host name specifically for Web Help Desk that is different from the real server host name registered in DNS.

    If you are using the existing host name, go to Edit the whd.conf file.

    If you are defining a new host name, go to step 2.

  2. Open the following file in a text editor:

    C:\Windows\System32\drivers\etc\hosts

  3. Add the following string in the file:

    127.0.0.1 mywebhelpdesk.mydomain

    where mywebhelpdesk.mydomain is the domain name you chose for WebHelpDesk and will be used for the remaining procedures.

  4. Save and close the file.

Edit the whd.conf file

  1. Open the following file in a text editor:

    <WebHelpDesk>\conf\whd.conf

  2. Ensure that the following string is uncommented and includes a port number that is not occupied by another process:

    HTTPS_PORT=443

  3. Locate and follow the instructions in the # Privileged networks section to populate PRIVILEGED_NETWORKS= with the IP address or IP address range where the Web Help Desk host belongs.

    Use a valid IP address and not a loopback address.

    For example:

    PRIVILEGED_NETWORKS=12.20.30.40

    or

    PRIVILEGED_NETWORKS=12.20.30.*

  4. Add the following WHD_HOST variable:

    WHD_HOST=mywebhelpdesk.mydomain

    where mywebhelpdesk.mydomain is the domain name you chose for your installation.

  5. Save and close the file.
  6. If you are installing Web Help Desk in the default <WebHelpDesk> directory, go to Create a Web Help Desk server certificate.

    If you are installing Web Help Desk in another location, edit the following files:

    • tomcat_server_template.xml
    • java.security
    • pkcs11_nss.cfg

(Optional) Edit the tomcat_server_template.xml file

If you are installing Web Help Desk in the default <WebHelpDesk> directory, go to Create a Web Help Desk server certificate.

If you are installing Web Help Desk in another location, update the path to the nss-x64 in the tomcat_server_template.xml file.

  1. Open the following file in a text editor:

    <WebHelpDesk>\conf\tomcat_server_template.xml

  2. Locate the SSL HTTP/1.1 connector section, as shown below.
    <!-- Define a SSL HTTP/1.1 Connector on port @@@WEBHELPDESK_SSL_PORT@@@
    This connector uses the JSSE configuration, when using APR, the
    connector should be using the OpenSSL style configuration
    described in the APR documentation.
    @@@WEBHELPDESK_SSL_START@@@
    ...
    ...
    @@@WEBHELPDESK_SSL_STOP@@@ -->
  3. Update the path to the nss-x64 in the code.

    c:\\Program Files\\WebHelpDesk\\

    Be sure to include the double slashes ( \\ ) as path delimiters.

    1. Locate the following path:
    2. Replace this path with the path to your Web Help Desk installation.
  4. Save and close the file.

(Optional) Edit the java.security file

If you are installing Web Help Desk in the default <WebHelpDesk> directory, go to Create a Web Help Desk server certificate.

If you are installing Web Help Desk in another directory, update the java.security file with the appropriate path.

  1. Navigate to the following directory:

    <WebHelpDesk>\bin\jre\lib\security

  2. Open the java.security file in a text editor.
  3. In the file, locate the following path:

    c:\\Program\ Files\\WebHelpDesk\\

  4. Replace this path with the path to your Web Help Desk installation.

    Be sure to include the double slashes ( \\ ) as path delimiters.

    Use single slashes for escape spaces. For example: Program\ Files.

(Optional) Edit the pkcs11_nss.cfg file

If you are installing Web Help Desk in the default <WebHelpDesk> directory, go to Create a Web Help Desk server certificate.

If you are installing Web Help Desk in a different location, perform the following steps:

  1. Open the following file in a text editor:

    <WebHelpDesk>\bin\nss-x64\config\pkcs11_nss.cfg

  2. Locate the following strings:

    nssLibraryDirectory = "c:\\Program Files\\WebHelpDesk\\bin\\nss-x64\\lib"

    nssSecmodDirectory = "c:\\Program Files\\WebHelpDesk\\bin\\nss-x64\\dbnss"

  3. In each string, replace:

    c:\\Program Files\\WebHelpDesk

    with the path to your Web Help Desk installation.

    Be sure to include the double slashes ( \\ ) as path delimiters.

  4. Save and close the file.

7. Create a Web Help Desk server certificate

This procedure describes how to obtain a signed certificate by a trusted Certificate Authority (CA) or create and use a self-signed certificate.

Creating a self-signed certificate should only be used in test environments and is not recommended for production environments.

To create a Web Help Desk server certificate, select one of the following options:

If you currently have a signed certificate for your NSS database, you can skip this procedure.

Before you begin

If you are running Internet Explorer to access Web Help Desk, add your Web Help Desk URL as a trusted site or designate the URL as an Intranet connection in the security settings. This process will prevent the default security settings in Internet Explorer from blocking Javascript code used for navigating through the Getting Started wizard.

Obtain a signed certificate by a trusted CA

  1. Locate and open the copy_paste.txt file located at <WebHelpDesk>\conf\additional\fips-140-2\WebHelpDesk - clean install.

    This file contains code for the proceeding steps.

  2. Generate a certificate sign request using the NSS tools.

    cd c:\Program Files\WebHelpDesk\bin\nss-x64\bin\

    The default password to your NSS database is P@ssw0rd.

    Copy and paste the following code from the copy-paste.txt file to the command prompt and execute:

     

    .\certutil -R -s CN=mywebhelpdesk.mydomain, O=My_company, L=My_location, ST=My_state, C=My_country -p My_phone -o "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.req" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss" -Z SHA256			

    where mywebhelpdesk.mydomain is your Web Help Desk domain name and My_location, My_state, and so on is specific to your deployment.

    Change the path to mycert.req if you want to use a different location.

    1. Open a command prompt window.
    2. At the prompt, enter:
    3. Create a certificate signing request.
  3. Send the generated file to a trusted CA (such as Verisign) to validate the certificate identity.

    The CA validates the certificate, and then sends the validated certificate back to you. This process may require several weeks to complete.

  4. Import the certificate into your NSS database.

    cd c:\Program Files\WebHelpDesk\bin\nss-x64\bin\

    ??

    .\certutil -A -n tomcat -t "TCu,TCu,TCu" -i "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.crt" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss"	

    Change the path to mycert.crt if you want to use a different location.

    The default password is:

    P@ssw0rd

    At the prompt, execute:

    .\certutil -L -d ../dbnss

    1. Open a command prompt window.
    2. At the prompt, enter:
    3. Copy and paste the following code from the copy-paste.txt file to the command prompt and execute:
    4. When prompted, enter the password to your NSS database.
    5. Verify that the certificate is stored in your NSS database.
  5. Go to Complete the installation.

Create and use a self-signed certificate

Perform the following procedure only if you did not obtain a signed certificate by a trusted Certificate Authority (CA).

The default password to your NSS database is P@ssw0rd.

Change the path to mycert.req if you want to use a different location.

  1. Locate and open the copy-paste.txt file located at <WebHelpDesk>\conf\additional\fips-140-2\.

    This file contains code for the proceeding steps.

  2. Open a command prompt and navigate to:

    <WebHelpDesk>\bin\nss-x64\bin\

  3. Create a certificate signing request.

    Copy and paste the following code from the copy-paste.txt file to the command prompt and execute:

    .\certutil -R -s CN=mywebhelpdesk.mydomain, O=My_company, L=My_location, ST=My_state, C=My_country -p My_phone -o
    "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.req" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss" -Z SHA256

    where:

    • mywebhelpdesk.mydomain is the Web Help Desk domain name you configured for the WHD_HOST variable in the whd.conf file.
    • My_location, My_state, and so on is specific to your deployment.
    • c:\Program Files\WebHelpDesk is the location of your current Web Help Desk installation. Adjust this path if yourWeb Help Desk software is installed in a non-standard location.
  4. Follow the prompts after each .\certutil command line to complete the certificate signing request.

    When prompted for the default NSS database password, enter:

    P@ssw0rd

  5. Create a certificate called myissuer that will be used as the local CA to sign the tomcat certificate.

    Copy and paste the following code from the copy-paste.txt file to the command prompt and execute:

    .\certutil -S -s "CN=My Issuer" -n myissuer -x -t "TCu,TCu,TCu" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss" -Z SHA256

    where c:\Program Files\WebHelpDesk is the location of your current Web Help Desk installation.

    Adjust this path if your Web Help Desk software is installed in a non-standard location.

  6. Sign your certificate request.

    Copy and paste the following code from the copy-paste.txt file to the command prompt and execute:

    .\certutil -C -i "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.req" -o "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.crt" -c myissuer -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss" -Z SHA256

    where c:\Program Files\WebHelpDesk is the location of your current Web Help Desk installation. Adjust this path if your Web Help Desk software is installed in a non-standard location.

    Change the path to mycert.crt if you want to use a different location.

    When completed, a success message will not appear in the command prompt.

  7. Import the self-signed certificate into your NSS database.

    Change the path to mycert.crt if you want to use a different location.

    Copy and paste the following code from the copy-paste.txt file to the command prompt and execute:

    .\certutil -A -n tomcat -t "TCu,TCu,TCu" -i "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.crt" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss"

    where c:\Program Files\WebHelpDesk is the location of your current Web Help Desk installation. Adjust this path if your Web Help Desk software is installed in a non-standard location.

    When completed, a success message will not appear in the command prompt.

  8. Close the command prompt window.
  9. Start Web Help Desk.

    Navigate to your <WebHelpDesk> directory and double-click whd.bat start.

    The following steps describe how to import certificates into your Trusted Root CA and Trusted Publishers stores using Internet Explorer 9 or later. If you are using another type of web browser, see your web browser documentation for information about importing certificates into these stores.

  10. Open Internet Explorer and navigate to:

    https://mywebhelpdesk.mydomain

    where mywebhelpdesk.mydomain is your Web Help Desk domain name.

    A certificate error message displays.

  11. Import the CA certificate into the Trusted Root CA store of your operating system.
    1. In your web browser, click Proceed anyway.
    2. Double-click Certificate error.
    3. Click View Certificate and select Certification path tab > My Issuer > View Certificate > Install Certificate.
    4. Select Local Machine > TRUSTED ROOT CERTIFICATION AUTHORITIES and click Next.
    5. Click Finish.
    6. Click OK.
  12. Import the server certificate into the Trusted Publishers store.

    If Web Help Desk is not loaded after pressing F5, stop and then restart Web Help Desk.

    1. In your web browser, click Proceed anyway.
    2. In your web browser, double-click Certificate error.
    3. Click View Certificate and select General tab > Install Certificate.
    4. Select Local Machine > TRUSTED PUBLISHERS and click Next.
    5. Click Finish.
    6. Press F5 to refresh the web page.

8. Complete the installation

  1. In the Getting Started Wizard, select the embedded database option.
  2. Complete the remaining steps in the Getting Started Wizard.
  3. Navigate to your Web Help Desk URL.
  4. Log in to Web Help Desk using admin as your user name and password.
  5. In the toolbar, click Setup and select General > Options.
  6. In the Server DNS Name field, enter your Web Help Desk fully qualified domain name.
  7. Set Force HTTPS to Always.
  8. Click Save.
  9. Update your Web Help Desk password to a secure password.
  10. Activate your Web Help Desk license.

9. Set up SolarWinds Integration and email

If you are using self-signed certificates on your SolarWinds Integration servers, email servers, email, or third-party tools, you will need to add these certificates into the Web Help Desk NSS database. Below is an example for the Orion connection.

  1. Open a Web browser window and navigate to:

    https://ORION_IP_Address:17778/Solar...v3/OrionBasic/

  2. Export the certificate into a file in .cer format.

    1. Click the lock icon next to the URL address and select Certificate Information > Details > Copy to File.
    2. Follow the prompts in the export wizard, selecting the .der format of the exported certificate.
  3. Open a command prompt window.

    At the prompt, enter:

    cd c:\Program Files\WebHelpDesk\bin\nss-x64\bin\

  4. Import the certificate.

    At the prompt, enter:

    certutil -A -t "CT,C,C" -d ..\dbnss -n orion_cert -i c:\<path_to_exported_cert>\previously_exported_cert.cer

 
Last modified
13:46, 18 Jul 2016

Tags

Classifications

Public