Foglight 7.1.0 - Security and Compliance Guide

FIPS-compliant mode for Foglight Management Server

Foglight Management Server and Foglight cartridges use the Java Cryptographic Extension and Bouncy Castle Java FIPS library for cryptographic operations.

By default, Foglight Management Server does not operate in FIPS-compliant mode. Foglight still uses the FIPS-validated libraries, but it also allows cryptographic algorithms that are not supported by the FIPS 140-2 standard.

When FIPS-compliant mode is enabled:

To enable FIPS-compliant mode, select FIPS Compliance Mode in FIPS Compliance Settings during installation of Foglight Management Server.

CAUTION: Once the FIPS-compliant mode is enabled during installation, it cannot be disabled without a complete re-installation of Foglight.

NOTE: All Foglight Management Server cartridges are FIPS-compliant cartridges, for other cartridges refer to the relevant cartridge release notes.

FIPS-compliant mode for Foglight Agent Manager

Foglight Agent Manager uses the Java Cryptographic Extension and Bouncy Castle Java FIPS library for cryptographic operations.

Whether the Agent Manager is FIPS-compliant is determined by the Foglight Management Server from which the Agent Manager installer is downloaded. That is to say if the Agent Manager installer is downloaded from an FIPS-compliant Foglight Management Server, the Agent Manager will be configured to be FIPS-compliant automatically, and vice versa.

You can check the value of the property fips.approved.mode.enabled in <fglam_home>/state/default/config/client.config file to see in which mode this Agent Manager is running. If the property is True, it means this Agent Manager is FIPS-compliant, and vice versa. In case the property is not found, it means this Agent Manager is not FIPS-compliant as well.

CAUTION: Do NOT change the value of fips.approved.mode.enabled property, otherwise the Agent Manager won’t work with the Foglight Management Server if their FIPS-compliant modes are inconsistent.

CAUTION: As AIX is not listed on the Bouncy Castle FIPS support list, Foglight Agent Manager makes no statement as to the correct operation of the module or the security strengths of the generated keys if Agent Manager runs in AIX operating system.

When FIPS-compliant mode is enabled:

NOTE: Foglight Agent Manager running in FIPS-compliant mode only ensures that the cryptography used by Agent Manager meets the standard. However, to check if the agents running in Agent Manager are FIPS-compliant, refer to the relevant cartridge release notes.

Disclaimer

Quest Software Inc. has made every effort to ensure that the information provided in this document is accurate. However, Quest makes no representation about the content and suitability of this information for any purpose. This information may be modified by Quest at any time. Nothing contained herein shall be construed as a warranty, express or implied, regarding the operation of Quest Software Inc. products.

Usage feedback

The Foglight® Management Server can collect usage data about your environment and send it to Quest Software Inc. to improve support response. This data helps Quest Software Inc. identify potential bottlenecks, and improve the overall Management Server performance and server versions going forward.

The collected usage data contains information about the visited dashboards. It also includes the unique ID of the Management Server and its version information. It does not identify any users or provide additional information about their actions in the user interface.

By default, this feature may be enabled. To turn it off, click Disable on the Communication dashboard. This dashboard is accessible from the navigation panel in the Foglight browser interface, under Administration > Support > Support Notifications > Automatic Communication with Quest.