Additional considerations when enabling FIPS mode in Data Center Expert

After enabling FIPS mode in Data Center Expert in System > Server Administration Settings > Server Access > Security Policy, any devices or configuration settings that match the conditions below also must be updated.

Any devices or systems that have not been updated to meet this stricter cryptography policy may have communication issues and present errors in the Data Center Expert web and desktop client. 

Errors may also be present in nbc.xml log. The nbc.xml log can be viewed from the Data Center Expert web client View Logs in the upper right corner.

See the documentation for security policy definitions from Red Hat here.

SNMPv3

Update any SNMPv3 devices that were using MD5 for Authentication Type or DES for Encryption Type to an SHA/AES equivalent on the device and in DCE SNMP Device Scan Settings so DCE can poll it via SNMPv3.

• Devices can be updated using APC SNMP Device Mass Configuration

  https://community.se.com/t5/DCE-configuration/Mass-Configuration-of-APC-Network-Management-Card-type...

   

• SNMP Device Scan Settings: Device > SNMP Communication Settings > Device Scan Settings

  https://community.se.com/t5/DCE-configuration/Device-Scan-Settings-option-for-SNMP-devices/ta-p/4468...

   

DCE Backups

Any previously configured DCE backups to Windows cifs/smb shares will no longer work due to NTLM security protocols using MD5.  An NFS backup must be configured instead, and any previous backups should be moved to the new or existing NFS share.

• DCE Backup Settings: System > Server Administration Settings > Server Backup/Restore

  https://community.se.com/t5/DCE-server-administration/DCE-server-Backup-Restore/ta-p/446756

   

Saved Reports Windows Exports

Any previously configured saved reports that use Windows Export to a cifs/smb share will no longer work due to NTLM security protocols using MD5. An NFS Export will need to be configured instead, all saved reports will need to be edited and configured to use the new or existing NFS share, and any previous saved reports should be moved to the same NFS share.

• DCE Export Scheduling: Reports > Manage Export Scheduling

  https://community.se.com/t5/DCE-reports/Managing-the-export-action-configurations/ta-p/446845

SSL Protocol and Certificates

All SSL connections to devices and other systems, such as device web pages, SMTP, LDAPS, and API integrations, must be at minimum TLS 1.2 and 2048-bit.

Certificates must include the Subject Alternative Name with the fully qualified domain name (FQDN) and IP address of the monitored device or connected server. New certificates may be required.

• Server SSL Certificates: System > Server Administration Settings > Server SSL Certificates

  https://community.se.com/t5/DCE-server-administration/Server-SSL-Certificates/ta-p/446771

   

NetBotz SSL Communication

NetBotz 355/350/455/550/570 and NetBotz 750/755 require recent firmware versions to communicate with DCE in FIPS mode.

• NetBotz 355/350/455/550/570 requires firmware version 4.5.2 or higher to support TLS 1.2. 
• NetBotz 750/755 requires version 5.4.x and newer for HTTPS related security fixes.

Desktop Client

Although not required, the Data Center Expert desktop client should be reinstalled with FIPS mode enabled to ensure secure communication between client and server.