Set up FIPS mode

This procedure is optional. If your HPE OneView appliance is configured in FIPS mode, you must also configure your external repository.

Prerequisites

  • You have a computer or virtual machine running Linux to generate the required certificates.

Procedure
  1. Generate the required certificates for the Windows web server using OpenSSL that is installed on a computer or virtual machine running Linux.

    • Obtain and install OpenSSL.

      yum install openssl

    • Set CN to FQDN. Enter the command ping -a IP_ADDR to get the FQDN of the server.

    • Set subjectAltName with the DNS and IP address of the web server. 

    openssl genrsa -out key.pem 2048
 
openssl req -subj "/CN=<FQDN or IP address>/C=US/ST=CA/L=PA/O=HPE/OU=Org" -sha256 -new -key key.pem -out \
certreq.csr -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:<FQDN>,\
IP:<IP address>\nkeyUsage=digitalSignature,keyEncipherment,dataEncipherment\nbasicConstraints=CA:FALSE"))
 
openssl req -x509 -sha256 -key key.pem -out cert.pem -nodes -days 3650 -extensions v3_req -in certreq.csr \
-config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[v3_req]\nsubjectAltName=DNS:<FQDN>,IP:<IP address> \
\nkeyUsage=digitalSignature,keyEncipherment,dataEncipherment\nbasicConstraints=CA:FALSE"))
  2. Create the pfx file that has the public and private key.

    openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

  3. To import the pfx file into the IIS web server, perform the following steps:
    1. Open IIS Manager.
    2. On the home page of IIS Manager, select Server Certificates > Import.
    3. Select the pfx file and enter the password.
      NOTE:

      Remember the password that you have entered. You will need the password when you add the web server to HPE OneView.

    4. Select Default web site from the connections panel, and in the Actions pane, select Bindings.
    5. Click Add, and from the Type drop-down list, select https. The default port assigned is 443.
  4. Restart the IIS web server.
  5. Connect to the web server using a browser. If you used a self-signed certificate, you will see a certificate error. To proceed, accept the certificate exception.
  6. To set the Windows server mode to FIPS, perform the following steps:
    1. Open the Run application, and enter the regedit command to open the Windows registry key. Enable the FIPS algorithm policy key.

      key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy REG_DWORD to 1 (decimal)

    2. Verify that FIPS mode is enabled.

      • Open the Run application and enter the gpedit.msc command.

        The Local Group Policy Editor opens.

      • In Local Group Policy Editor, select Computer Configuration > Windows Settings > Security settings > Local Policies > Security Options.

      • Open System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

    3. Select Enabled.
    4. Restart the OS.