Federal Information Processing Standard Publication (FIPS) is the United States government specification to cover the levels of security in vendor products that are used by the Department of Defense or other government agencies. AE Services is based on the Red Hat Enterprise Linux (RHEL) operating system, and provides support for some of the recommendations as specified in FIPS Publication 140-2 for Security Level 1, including Annex A.
Important:
You must perform all database backup or restore operations before switching to AE Services secure mode.
After switching over to secure mode, first login to the AE Services server using the management console before accessing the command line interface.
Once secure mode is enabled, Avaya does not recommend switching over to non-secure mode as some of the services might not function correctly. Reinstall is the recommended action.
In secure mode, AE Services supports the account management only through the command line interface and not through the management console.
In secure mode, AE Services does not support diagnostic tests using the management console ().
In secure mode, before configuring GRHA, the new Linux users that have been created on the primary server, must be created manually on the secondary server as well.
Backup taken in non secure mode can only be restored on the AE Services server in non secure mode. Backup taken in secure mode can only be restored on the AE Services server in secure mode.
When AE Services secure mode is enabled, the following changes occur.
The RHEL kernel is configured for kernel FIPS mode. In this mode, the kernel only uses FIPS approved ciphers. This change take effect after the server is rebooted.
SSH is configured to use only FIPS approved ciphers.
The Apache web server presents a valid identity certificate through a connecting browser or a client. The Apache web server known trusted root CA signs the identity certificate before the access to AE Services Management Console or Web Services is granted.
The AE Services DMCC, TSAPI, and CVLAN requires a connecting client to present a valid identity certificate signed by a trusted root CA known by the respective AE Services before a TLS connection is allowed for service.
The AE Services, DLG, is stopped.
Non secure ports that is FTP (21) or DMCC (4721) or TSAPI (450) are blocked by the firewall.
All configured switch connections are updated to use the Secure H323 Connection option located on the Management Console screen, . This option is used by DMCC to set the TLS authentication flag in the Gatekeeper Request (GRQ) message during a device registration process. After a successful Gatekeeper Confirmation (GCF) response is received, a TLS connection to Communication Manager is used for the signaling channel.
Note:
If Secure Mode with FIPS is not enabled on Communication Manager or if Communication Manager does not support Secure Mode with FIPS (Communication Manager versions prior to 6.3.6 and Communication Manager version 6.3.6 and later that do not have the FIPS template installed). The DMCC H323 device registration request is rejected by Communication Manager. For each switch connection where Communication Manager is not in FIPS mode, the system administrator will need to disable the Secure H323 Connection option for DMCC registration to succeed.
DMCC media encryption is configured to only support the SRTP ciphers based on AES128-HMAC32 and AES128-HMAC80 for authenticated and unauthenticated mode.
All configured switch connections are updated to use the Provide AE Services certificate to switch option located on the Management Console screen, Communication Manager Interface > Switch Connections > Add/Edit Connection. When Secure Mode with FIPS is enabled for the AE Services, it is expected that Communication Manager is also functioning in FIPS mode. While in the FIPS mode, Communication Manager is expected to request an identity certificate from any connecting client requesting service. In this case the client is AE Services. The first installed AE Services identity certificate associated with the alias cmtls, aeservices or server, respectively, is used as the identity certificate and sent to Communication Manager when requested.
Note:
If the switch connection is unable to be established, please verify that the CA certificate used to sign the AE Services identity certificate is in the Communication Manager trust store. In addition, verify that the CA certificate used to sign the Communication Manager identity certificate is in the AE Services trust store.
When AE Services secure mode is disabled, the following changes will occur. Any changes made during the enable phase that is not reverted back to its previous state will need to be changed by the system administrator.
The RHEL kernel FIPS mode will be disabled. This change will take effect after the server is rebooted.
The Apache web server will not require a connecting browser/client to present an identity certificate.
DMCC will be configured to support all the available media encryption ciphers used by the DMCC SDK.
