Run Knowledge Discovery with FIPS

You can run Knowledge Discovery in a Federal Information Processing Standard (FIPS) compliant system.

Knowledge Discovery uses a cryptographic module that complies with Federal Information Processing Standard 140-2 (FIPS 140-2). This standard defines the technical requirements that Federal Agencies must use for cryptographic-based security systems that protect sensitive or valuable data.

To comply with FIPS 140-2, Knowledge Discovery:

  • integrates validated and NIST-certified third party cryptographic modules, and uses the modules as the only providers of cryptographic services.
  • uses FIPS-approved cryptographic functions.
  • uses FIPS-approved and NIST-validated technologies
  • uses security controls defined in NIST 800-53 (or applicable security controls such as DoD 8500.2), prescribed for cryptographic modules by FIPS 140-2 and applicable for Knowledge Discovery design, implementation, and operation.

When using SSL in FIPS mode, all encrypted ACI communication between all Knowledge Discovery components and HTTPS traffic between Knowledge Discovery and third parties (where SSL is supported by the third party) is secured using the FIPS validated OpenSSL Module.

To review the OpenSSL FIPS certificate, refer to the NIST Website: OpenSSL FIPS certificate.

Configure Your Knowledge Discovery System for FIPS

To use FIPS with Knowledge Discovery, you must set environment variables to configure OpenSSL, and configure SSL communications.

To configure FIPS in your Knowledge Discovery system

  1. Set the following environment variables in your system:

    • OPENSSL_CONF. The location of an OpenSSL configuration file. The Knowledge Discovery packages include a suitable sample configuration file, IDOL_openssl_fips.cnf in the openssl directory.

    • OPENSSL_MODULES. The directory that contains the FIPS shared library file. The Knowledge Discovery packages include these files in the openssl directory.

    For more detailed information about OpenSSL configuration, refer to the OpenSSL3 Documentation.

  2. Open your component configuration file in a text editor.
  3. Configure SSL for your Knowledge Discovery platform. You must configure SSL for incoming connections, and for connections between your components. All connections between your servers must be SSL encrypted (that is, you must configure SSL for both incoming and outgoing communications, where applicable).

    For details of how to configure SSL, refer to Knowledge Discovery Expert, or the Administration Guide for your product. For example:

    [Server]
    SSLConfig=SSLOptions
    
    [SSLOptions]
    SSLMethod=TLSV1.2
    SSLPrivateKey=/path/to/privatekey
    SSLCertificate=/path/to/certificate
    SSLCheckCommonName=True
    SSLCACertificate=/path/to/certificate.authority.certificate
  4. Save and close your configuration file.
  5. Restart the component for your changes to take effect.

To verify that your Knowledge Discovery system is now FIPS-enabled, see Verify FIPS Mode.

Additional Configuration for NTLM

When your products interact with NTLM, you must use algorithms from the legacy provider. For more information, see the OpenSSL Legacy Provider documentation.

The Knowledge Discovery packages include legacy.dll on Windows platforms, and legacy.so on all other platforms.

To use the legacy libraries for NTLM

  • Set the OPENSSL_MODULES environment variables to include the directory that contains legacy.dll or legacy.so.

  • (Windows only) Set the PATH environment variable to include the directory that contains the libcrypto-3-x64.dll library. This file is available as part of your Knowledge Discovery component installation.

Verify FIPS Mode

After you install and configure your Knowledge Discovery components, you can start the servers.

After the servers have started, you can verify that the component is running in FIPS mode by checking the application log. By default, this file is in the logs subdirectory of your component directory, with the file name application.log.

For example:

/opt/KnowledgeDiscovery/content/logs/application.log

When the component is successfully running in FIPS mode, this log has the following information line:

Running with FIPS mode active