Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Web Help Desk (WHD) > Web Help Desk 12.5 Administrator Guide > Enable FIPS > Enable FIPS in an existing deployment

Enable FIPS in an existing deployment

Created by Steve.Hawkins, last modified by Anthony.Rinaldi on Jul 18, 2016

Views: 33 Votes: 0 Revisions: 5

If you are installing Web Help Desk 12.4.0 or later in an existing deployment, SolarWinds recommends following the procedures in this section to upgrade your existing deployment to FIPS 140-2 compliance.

Enabling FIPS 140-2 compliant cryptography in an existing deployment is optional and is not required to continue using Web Help Desk. Your database is still protected from unauthorized users, whether or not you use the tool. You can maintain your current deployment configuration if you believe that your corporate enterprise is secure and does not require the added security of FIPS 140-2 cryptography.

Before you begin

Before you enable FIPS in your existing deployment, verify that:

  • Web Help Desk 12.4.0 or later is installed in your deployment.
  • Your database is not connected to Web Help Desk using an SSL connection.
  • Your Web Help Desk hostname is configured in the General Options screen at Setup > General > Options.

Deployment checklist

Use the following checklist to guide you through the deployment procedures.

  • 1. Review the requirements.

     

  • 2. Ensure you are running Web Help Desk 12.4.0 or later. Upgrade to 12.4.0 or later, if required.

     

  • 3. Ensure the Web Help Desk hostname located in the Setup > General > Options > General Options screen is correct. This hostname will be used throughout this procedure to configure FIPS in your deployment.

     

  • 4. Install Visual C++ Redistributable Packages for Visual Studio 2013 in your deployment.

    This software is included with your Web Help Desk installation package.

     

  • 5. Update the Environment Variables Path setting in your Windows Server operating system.

     

  • 6 Enable FIPS mode on your Apache Tomcat server.
    • Stop Web Help Desk.
    • Install the preconfigured Web Help Desk files for FIPS deployment.
    • Edit the wrapper_template.conf file.
    • Edit the etc\hosts file.
    • Edit the whd.conf file.

    If you installed Web Help Desk in the default <WebHelpDesk> directory, go to the next step.

    If you installed Web Help Desk in a separate directory:

    • (Optional) Edit the tomcat_server_template.xml file.
    • (Optional) Edit the java.security file.
    • (Optional) Edit the pkcs11_nss.cfg file.

     

  • 7. Create a Web Help Desk server certificate for your NSS database by obtaining a signed certificate by a trusted CA or creating and using a self-signed certificate.

     

  • 8. Complete the final installation steps.

     

  • 9. Set up your SolarWinds Integration and email. If you are using self-signed certificates on the SolarWinds Integration servers or email servers, add these certificates into the Web Help Desk NSS database.

1. Review the requirements

Ensure that your Windows operating system and database software meets the component requirements for FIPS 140-2 compliant cryptography.

Web Help Desk 12.4.0 and later does not support FIPS 140-2 compliance in Windows 32-bit, Apple OS X, and Linux operating systems.

2. Ensure you are running Web Help Desk 12.4.0 or later

The FIPS 140-2 compliant cryptography is only supported in Web Help Desk 12.4.0 and later.

If you are currently running version 12.4.0 or later, go to step 3. If you are not running Web Help Desk 12.4.0 or later, download the software from the Customer Portal.

This version includes:

  • NSS binaries
  • An empty NSS database in FIPS mode
  • The security provider configuration file

The NSS-related files are stored in your <WebHelpDesk> home folder.

3. Ensure that the Web Help Desk hostname is correct

The Web Help Desk hostname will be used throughout this procedure to configure FIPS in your deployment.

  1. Click Setup in the toolbar and select General > Options.
  2. In the General Options screen, ensure that the Web Help Desk Name field contains the correct hostname.

4. Install Visual C++ Redistributable Packages for Visual Studio 2013

This software is included with your Web Help Desk 12.4.0 and later installation package. When you execute the installer, it installs the runtime components required to run C++ applications in Visual Studio 2013 for a 64-bit environment.

When you run the installation program, select vcredist_64.exe and install the software in your <WebHelpDesk> directory.

5. Update the Environment Variables Path setting in your Windows Server operating system

The following procedure describes how to edit the Environment Variables settings in your Windows Server operating system. When completed, you can run Web Help Desk commands in a command prompt without having to change directories in the prompt.

See the Microsoft TechNet website for information about locating the Environment Variables properties in your operating system

  1. In your Windows Server operating system, locate and open the Environment Variables properties.
  2. In the Environment Variables properties, locate Path in the System Variables.
  3. Open the PATH string in Edit mode.
  4. Update the PATH string with the following path to your nss-x64 library:

<WebHelpDesk>\bin\nss-x64\lib\;

where <WebHelpDesk> is the path to your Web Help Desk directory.

Below is an example of the system PATH variable.

%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\110\DTS\Binn\;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\;C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn\

When you append the path with your nss-x64 library path, the path displays as follows:

C:\Program Files\WebHelpDesk\bin\nss-x64\lib\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\110\DTS\Binn\;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\;C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn\

6. Enable FIPS mode on your Apache Tomcat server

In the following procedures, <WebHelpDesk> represents the Web Help Desk home folder on your system. For example: c:\Program Files\WebHelpDesk.

Stop Web Help Desk

  1. Navigate to the <WebHelpDesk> directory.
  2. Right-click whd_stop.bat and select Run as Administrator.

    Web Help Desk is stopped.

Install the preconfigured Web Help Desk files for FIPS deployment

When completed, you can use the drag and drop feature for FIPS configuration.

  1. Navigate to the following directory:

    <WebHelpDesk>\conf\additional\fips-140-2\WebHelpDesk - upgrade

  2. Copy all files, including the \bin and \conf directories.
  3. Navigate to the <WebHelpDesk> directory.
  4. Paste your copied files into the directory, overwriting all existing files.

    If you are prompted to copy the tomcat_server_template.xml file, choose the copy and replace option.

Edit the wrapper_template.conf file

  1. Open the following file in a text editor:

    <WebHelpDesk>\bin\wrapper\conf\wrapper_template.conf

  2. Locate the following section:
    wrapper.java.additional.1=-XX:MaxPermSize=@@@WHD_MAX_PERM_MEMORY@@@m
    wrapper.java.additional.2=-Djava.endorsed.dirs=../../../conf/endorsed
    wrapper.java.additional.3-Dcatalina.base=../../tomcat
    ...
    ...
    wrapper.java.additional.17=-DWHDWebObjectsMonitorDeployment=false
  3. Add the following strings in the code:

    wrapper.java.additional.XX=-DWHDnss

    wrapper.java.additional.XX=-Djavax.net.ssl.keyStore=NONE

    wrapper.java.additional.XX=-Djavax.net.ssl.trustStore=NONE

    where XX equals the next incremented number in the section.

    If you do not have any customizations in this file, you can use section 1 in the copy_paste.txt file to copy from and paste into your wrapper_template.conf file. The copy_paste.txt file is located in the following directory:

    <WebHelpDesk>\conf\additional\fips-140-2\WebHelpDesk - upgrade\

    For example:

    # Java Additional Parameters
    wrapper.java.additional.1=-XX:MaxPermSize=@@@WHD_MAX_PERM_MEMORY@@@m
    wrapper.java.additional.2=-Djava.endorsed.dirs=../../../conf/endorsed
    ...
    wrapper.java.additional.17=-DWHDWebObjectsMonitorDeployment=false
    wrapper.java.additional.18=-DWHDnss
  4. Save and close the file.

Edit the etc\hosts file

Edit the hosts file to allow the local domain to be resolved correctly.

  1. Open the following file in a text editor:

    C:\Windows\System32\drivers\etc\hosts

  2. Determine if you want to define a host name specifically for Web Help Desk that is different from the real server host name registered in DNS.

    To use the existing host name, go to the next step.

    To define a new host name, add the following string:

    <Web Help Desk server IP address> mywebhelpdesk.mydomain

    where mywebhelpdesk.mydomain is the domain name used for the remaining procedures.

  3. Add the following string in the file:

    127.0.0.1 mywebhelpdesk.mydomain

  4. Save and close the file.

Edit the whd.conf file

  1. Open the following file in a text editor:

    <WebHelpDesk>\conf\whd.conf

  2. Ensure that the following string is uncommented and includes a port number that is not occupied by another process:

    HTTPS_PORT=443

    If you are upgrading your deployment to FIPS 140-2 compliance, add this string to the file.

  3. Locate and follow the instructions in the # Privileged networks section to populate PRIVILEGED_NETWORKS= with the IP address or IP address range where the Web Help Desk host belongs.

    For example:

    PRIVILEGED_NETWORKS=12.20.30.40

    or

    PRIVILEGED_NETWORKS=12.20.30.*

  4. Uncomment the following WHD_HOST variable:

    WHD_HOST=mywebhelpdesk.mydomain

  5. Save and close the file.
  6. If you installed Web Help Desk in the default <WebHelpDesk> directory, go to Create a Web Help Desk server certificate.

    If you installed Web Help Desk in another location, edit the following files:

    • tomcat_server_template.xml
    • java.security
    • pkcs11_nss.cfg

(Optional) Edit the tomcat_server_template.xml file

  1. Open the following file in a text editor:

    <WebHelpDesk>\conf\tomcat_server_template.xml

  2. Locate the SSL HTTP/1.1 connector section, as shown below.
    <!-- Define a SSL HTTP/1.1 Connector on port @@@WEBHELPDESK_SSL_PORT@@@
    This connector uses the JSSE configuration, when using APR, the
    connector should be using the OpenSSL style configuration
    described in the APR documentation.
    @@@WEBHELPDESK_SSL_START@@@
    ...
    ...
    @@@WEBHELPDESK_SSL_STOP@@@ -->
  3. Replace the code between

    @@@WEBHELPDSK_SSL_START@@@

    and

    @@@WEBHELPDESK_SSL_STOP@@@

    with the code included in the copy_paste.txt file, where c:\\Program Files\\WebHelpDesk\\ is the path to your default WebHelpDesk installation directory.

    Be sure to include the double slashes ( \\ ) as path delimiters.

  4. If you are installing Web Help Desk in a non-default location, update the path to the nss-x64 in the code.

(Optional) Edit the java.security file

  1. Open the following file in a text editor:

    <WebHelpDesk>\bin\jre\lib\security\java.security

  2. Locate the following section:
    security.provider.1=sun.security.provider.Sun
    security.provider.2=sun.security.rsa.SunRsaSign
    security.provider.3=sun.security.ec.sunEC
    security.provider.4=com.sun.net.ssl.internal.ssl.Provider
    security.provider.5=com.sun.crypto.provider.SunJCE
    security.provider.6=sun.security.jgss.SunProvider
    security.provider.7=com.sun.security.sasl.Provider
    security.provider.8=org.jcp.xml.dsig.internal.dom.SMLDSigRI
    security.provider.9=sun.security.smartcardio.SunPCSC
    security.provider.10=sun.security.mscapi.SunMSCAPI
    
  3. Remove the following string:

    security.provider.4=com.sun.net.ssl.internal.ssl.Provider

  4. Add the following strings before security.provider.5=com.sun.crypto.provider.SunJCE:
    security.provider.XX=sun.security.pkcs11.SunPKCS11 c:\\Program\ Files\\WebHelpDesk\\bin\\nss-x64\\config\\pkcs11_nss.cfg
    security.provider.XX=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSScrypto
    

    where XX equals the appropriate string increment number.

  5. Adjust the increment numbers of each string so they are in sequential order (such as 1, 2, 3, and so on).

    When completed, this section should appear exactly as follows:

    security.provider.1=sun.security.provider.Sun
    security.provider.2=sun.security.rsa.SunRsaSign
    security.provider.3=sun.security.ec.SunEC
    security.provider.4=sun.security.pkcs11.SunPKCS11 c:\\Program\ Files\\WebHelpDesk\\bin\\nss-x64\\config\\pkcs11_nss.cfg
    security.provider.5=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSScrypto
    security.provider.6=com.sun.crypto.provider.SunJCE
    security.provider.7=sun.security.jgss.SunProvider
    security.provider.8=com.sun.security.sasl.Provider
    security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
    security.provider.10=sun.security.smartcardio.SunPCSC
    security.provider.11=sun.security.mscapi.SunMSCAPI
    keystore.type=PKCS11
  6. Locate and comment out the following string:

    keystore.type=jks

    For example:

    # keystore.type=jks

  7. Save and close the file.

(Optional) Edit the pkcs11_nss.cfg file

Edit this file only if Web Help Desk was not installed in the following location:

c:\Program Files\WebHelpDesk

  1. Open the following file in a text editor:

    <WebHelpDesk>\bin\nss-x64\config\pkcs11_nss.cfg

  2. Locate the following strings:

    nssLibraryDirectory = "c:\\Program Files\\WebHelpDesk\\bin\\nss-x64\\lib"

    nssSecmodDirectory = "c:\\Program Files\\WebHelpDesk\\bin\\nss-x64\\dbnss"

  3. In each string, replace:

    c:\\Program Files\\WebHelpDesk

    with the path to your Web Help Desk installation.

    Be sure to include the double slashes ( \\ ) as path delimiters.

  4. Save and close the file.

7. Create a signed Web Help Desk certificate for your NSS database

Create a Web Help Desk server certificate by obtaining a signed certificate by a trusted CA or creating and using a self-signed certificate.

If you currently have a signed certificate for your NSS database, you can skip this procedure.

Before you begin

If you are running Internet Explorer to access Web Help Desk, add your Web Help Desk URL as a trusted site or designate the URL as an Intranet connection in the security settings. This process will prevent the default security settings in Internet Explorer from blocking Javascript code used for navigating through the Getting Started wizard.

Obtain a signed certificate by a trusted CA

This procedure creates a certificate for a production environment. The certificate is signed by a world-wide trusted CA (such as Verisign or Globalsign) and may require several weeks to certify and receive.

  1. Generate a certificate sign request using the NSS tools.

    cd c:\Program Files\WebHelpDesk\bin\nss-x64\bin\

    The default password to your NSS database is P@ssw0rd.

    Change the path to mycert.req if you want to use a different location.

    At the prompt, execute:

     

    .\certutil -R -s CN=mywebhelpdesk.mydomain, O=My_company, L=My_location, ST=My_state, C=My_country -p My_phone -o "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.req" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss" -Z SHA256			

    where mywebhelpdesk.mydomain is your Web Help Desk domain name and My_location, My_state, and so on is specific to your deployment.

    1. Open a command prompt window.
    2. At the prompt, enter:
    3. Create a certificate signing request.
  2. Send the generated file to a trusted CA (such as Verisign) to validate the certificate identity.

    The CA validates the certificate, and then sends the validated certificate back to you. This process may require several weeks to complete.

  3. Import the certificate into your NSS database.

    cd c:\Program Files\WebHelpDesk\bin\nss-x64\bin\

    Change the path to mycert.crt if you want to use a different location

     

    .\certutil -A -n tomcat -t "TCu,TCu,TCu" -i "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.crt" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss"	

    The default password is:

    P@ssw0rd

    The default password is:

    changeit

    At the prompt, execute:

    .\certutil -L -d ../dbnss

    1. Open a command prompt window.
    2. At the prompt, enter:
    3. At the prompt, execute:
    4. When prompted, enter the password to your NSS database.
    5. When prompted, enter the password for your Web Help Desk private key.
    6. Verify that the certificate is stored in your NSS database.
  4. Start Web Help Desk.

    Navigate to your <WebHelpDesk> directory, right-click whd_start.bat, and select Run as Administrator. 

  5. Open a web browser and navigate to:

    https://mywebhelpdesk.mydomain:443/helpdesk/

    where mywebhelpdesk.mydomain is your Web Help Desk domain name.

    If you configured HTTPS_PORT differently in an earlier step, choose a port other than port 443.

  6. In the toolbar, click Setup and select General > Options.
  7. In the Server DNS Name field, enter your Web Help Desk domain name.
  8. Set Force HTTPS to Always.
  9. Click Save.

    The FIPS configuration is completed. Your Web Help Desk deployment is running in FIPS compliant security mode. Do not go to the next section.

Create and use a self-signed certificate

This procedure creates a certificate for a test environment and is not recommended for a production environment. The certificate is signed by your organization and is ready to use after you complete the procedure. Self-signed certificate should only be used in test environments and is not recommended for production environments.

Perform the following procedure only if you did not obtain a signed certificate by a trusted Certificate Authority (CA).

The default password to your NSS database is P@ssw0rd.

  1. Open a command prompt and navigate to:

    <WebHelpDesk>\bin\nss-x64\bin\

  2. Create a certificate signing request.

    Change the path to mycert.req if you want to use a different location.

    At the command prompt, execute:

    .\certutil -R -s CN=mywebhelpdesk.mydomain, O=My_company, L=My_location, ST=My_state, C=My_country -p My_phone -o "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.req" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss" -Z SHA256
    

    where:

    • mywebhelpdesk.mydomain is the Web Help Desk domain name you configured for the WHD_HOST variable in the whd.conf file.
    • My_location, My_state, and so on is specific to your deployment.
    • c:\Program Files\WebHelpDesk is the location of your current Web Help Desk installation. Adjust this path if your Web Help Desk software is installed in a non-standard location.
  3. Follow the prompts after each .\certutil command line to complete the certificate signing request.

    When prompted for the default NSS database password, enter:

    P@ssw0rd

  4. Create a certificate called myissuer that will be used as the local CA to sign the tomcat certificate.

    At the command prompt, execute:

    .\certutil -S -s "CN=My Issuer" -n myissuer -x -t "TCu,TCu,TCu" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss" -Z SHA256
    

    where c:\Program Files\WebHelpDesk is the location of your current Web Help Desk installation. Adjust this path if your Web Help Desk software is installed in a non-standard location.

  5. Sign your certificate request.

    Change the path to mycert.crt if you want to use a different location.

    At the command prompt, execute:

    .\certutil -C -i "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.req" -o "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.crt" -c myissuer -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss" -Z SHA256
    

    where c:\Program Files\WebHelpDesk is the location of your current Web Help Desk installation. Adjust this path if your Web Help Desk software is installed in a non-standard location.

    When completed, a success message will not appear in the command prompt.

  6. Import the self-signed certificate into your NSS database.

    Change the path to mycert.crt if you want to use a different location.

    At the command prompt, execute:

    .\certutil -A -n tomcat -t "TCu,TCu,TCu" -i "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss\mycert.crt" -d "c:\Program Files\WebHelpDesk\bin\nss-x64\dbnss"

    where c:\Program Files\WebHelpDesk is the location of your current Web Help Desk installation. Adjust this path if your Web Help Desk software is installed in a non-standard location.

    When completed a success message will not appear in the command prompt.

  7. Close the command prompt window.
  8. Start Web Help Desk.

    Navigate to your <WebHelpDesk> directory and double-click whd.bat start.

    Web Help Desk restarts.

    The following steps describe how to import certificates into your Trusted Root CA and Trusted Publishers stores using Internet Explorer 9 or later. If you are using another type of web browser, see your web browser documentation for information about importing certificates into these stores.

  9. Open Internet Explorer and navigate to:

    https://mywebhelpdesk.mydomain

    where mywebhelpdesk.mydomain is your Web Help Desk domain name.

    A certificate error message displays.

  10. Import the CA certificate into the Trusted Root CA store of your operating system.
    1. In your web browser, click Proceed anyway.
    2. Double-click Certificate error.
    3. Click View Certificate and select Certification path tab > My Issuer > View Certificate > Install Certificate.
    4. Select Local Machine > TRUSTED ROOT CERTIFICATION AUTHORITIES and click Next.
    5. Click Finish.
    6. Click OK.
  11. Import the server certificate into the Trusted Publishers store.
    1. In your web browser, click Proceed anyway.
    2. In your web browser, double-click Certificate error.
    3. Click View Certificate and select General tab > Install Certificate.
    4. Select Local Machine > TRUSTED PUBLISHERS and click Next.
    5. Click Finish.
    6. Press F5 to refresh the web page.
    7. If Web Help Desk is not loaded after pressing F5, stop and then restart Web Help Desk.
  12. Log in to Web Help Desk as an administrator.
  13. Open a web browser and navigate to:

    https://mywebhelpdesk.mydomain

    where mywebhelpdesk.mydomain is your Web Help Desk domain name.

  14. In the toolbar, click Setup and select General > Options.
  15. In the Server DNS Name field, enter your Web Help Desk domain name.
  16. Set Force HTTPS to Always.
  17. Click Save.

    Your Web Help Desk system is now in FIPS compliant security mode.

8. Complete the installation

  1. In the Getting Started Wizard, select the embedded database option.
  2. Complete the remaining steps in the Getting Started Wizard.
  3. Navigate to your Web Help Desk URL.
  4. Log in to Web Help Desk using admin as your user name and password.
  5. In the toolbar, click Setup and select General > Options.
  6. In the Server DNS Name field, enter your Web Help Desk fully qualified domain name.
  7. Set Force HTTPS to Always.
  8. Click Save.
  9. Update your Web Help Desk password to a secure password.
  10. Activate your Web Help Desk license.

9. Set up your SolarWinds Integration and email

If you are using self-signed certificates on your SolarWinds Integration servers, email servers, email, or third-party tools, you will need to add these certificates into the Web Help Desk NSS database. Below is an example for the Orion connection.

  1. Open a Web browser window and navigate to:

    https://ORION_IP_Address:17778/Solar...v3/OrionBasic/

  2. Export the certificate into a file in .cer format.

    1. Click the lock icon next to the URL address and select Certificate Information > Details > Copy to File.
    2. Follow the prompts in the export wizard, selecting the .der format of the exported certificate.
  3. Open a command prompt window.

    At the prompt, enter:

    c:\Program Files\WebHelpDesk\bin\nss-x64\bin\

  4. Import the certificate.

    At the prompt, enter:

    certutil -A -t "CT,C,C" -d ..\dbnss -n orion_cert -i c:\<path_to_exported_cert>\previously_exported_cert.cer

 
Last modified
13:47, 18 Jul 2016

Tags

Classifications

Public