Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

11.3. Updating FIPS standards

Red Hat Satellite 5.7 introduces support for Federal Information Processing Standard (FIPS) 140-2, which is a US Government standard for accrediting cryptographic module. This support includes the following changes:

User passwords, previously encrypted with MD5 method, will be encrypted with SHA-256 algorithm
Client certificates (/etc/sysconfig/rhn/systemid), which the registered systems use to authenticate with the parent server, are changed from MD5 to SHA-256 encryption

New Red Hat Satellite installations on FIPS 140-2 enabled systems do not require any manual changes. Satellite will use FIPS 140-2 standards automatically.

However, if upgrading a system and you intend to enable FIPS 140-2, you must first update existing user passwords and client certificates using MD5 encryption.

Procedure 11.3. Updating User Passwords

Export a list of users with MD5-encrypted passwords:
```
spacewalk-report users-md5 > users-md5.csv
```
```
# spacewalk-report users-md5 > users-md5.csv
```
Copy to Clipboard Toggle word wrap

Change the password of each user using the following for loop:

for i in $(cat users-md5.csv | awk -F, 'NR>1 { print $4 }'); do
      echo "Changing password for user $i";
      satpasswd $i;
      echo;
done

# for i in $(cat users-md5.csv | awk -F, 'NR>1 { print $4 }'); do
      echo "Changing password for user $i";
      satpasswd $i;
      echo;
done

Copy to Clipboard

Toggle word wrap

Alternatively, instruct all users on the users-md5.csv to log into Satellite's Web UI. Satellite will automatically change their passwords in the database to use SHA-256.

Procedure 11.4. Updating Client Certificates

Export a list of client systems using certificates using MD5-encryption:

spacewalk-report system-md5-certificates > system-md5-certificates.csv

# spacewalk-report system-md5-certificates > system-md5-certificates.csv

Copy to Clipboard

Toggle word wrap

Use the spacewalk-fips-tool to schedule an update of systems in an organization. You need to repeat this process for each organization in your Satellite environment. First use the following commands for organization with ID 1:

ORG_ID=1
for system in $(awk -F, "NR>1 { if (\$3 == $ORG_ID) print \$1 }" system-md5-certificates.csv); do systems="$systems $system"; done
spacewalk-fips-tool -i -u admin -d "2014-12-01 14:00:00" -o /tmp/scheduled-installations.csv $systems

# ORG_ID=1
# for system in $(awk -F, "NR>1 { if (\$3 == $ORG_ID) print \$1 }" system-md5-certificates.csv); do systems="$systems $system"; done
# spacewalk-fips-tool -i -u admin -d "2014-12-01 14:00:00" -o /tmp/scheduled-installations.csv $systems

Copy to Clipboard

Toggle word wrap

This schedules the installation of packages requires for the certificate update on December 1, 2014 at 2pm.

Next, Either run rhn_check -v on each client or wait until osad picks up the event.

Finally, use the spacewalk-fips-tool again to schedule an update of certificates:

ORG_ID=1
for system in $(awk -F, "NR>1 { if (\$3 == $ORG_ID) print \$1 }" system-md5-certificates.csv); do systems="$systems $system"; done
spacewalk-fips-tool -c -u admin -d "2014-12-01 14:00:00" -o /tmp/scheduled-installations.csv $systems

# ORG_ID=1
# for system in $(awk -F, "NR>1 { if (\$3 == $ORG_ID) print \$1 }" system-md5-certificates.csv); do systems="$systems $system"; done
# spacewalk-fips-tool -c -u admin -d "2014-12-01 14:00:00" -o /tmp/scheduled-installations.csv $systems

Copy to Clipboard

Toggle word wrap

Repeat this process for each organization ID.

Once the passwords and client certificates are updated, enable FIPS 140-2 on your Satellite server's operating system.

Nach oben

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

11.3. Updating FIPS standards

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Mehr Inklusion in Open Source

Über Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links