Foglight 5.9.7 - Security and Compliance Guide

FIPS-compliant mode for Foglight Management Server

Foglight Management Server and Foglight cartridges use the Java Cryptographic Extension and Bouncy Castle Java FIPS library for cryptographic operations.

By default, Foglight Management Server does not operate in FIPS-compliant mode. Foglight still uses the FIPS-validated libraries, but it also allows cryptographic algorithms that are not supported by the FIPS 140-2 standard.

When FIPS-compliant mode is enabled:

To enable FIPS-compliant mode, select FIPS Compliance Mode in FIPS Compliance Settings during installation of Foglight Management Server.

CAUTION: Once the FIPS-compliant mode is enabled during installation, it cannot be disabled without a complete re-installation of Foglight.

NOTE: All Foglight Management Server cartridges are FIPS-compliant cartridges, for other cartridges refer to the relevant cartridge release notes.

FIPS-compliant mode for Foglight Agent Manager

Foglight Agent Manager uses the Java Cryptographic Extension and Bouncy Castle Java FIPS library for cryptographic operations.

Whether the Agent Manager is FIPS-compliant is determined by the Foglight Management Server from which the Agent Manager installer is downloaded. That is to say if the Agent Manager installer is downloaded from an FIPS-compliant Foglight Management Server, the Agent Manager will be configured to be FIPS-compliant automatically, and vice versa.

You can check the value of the property fips.approved.mode.enabled in <fglam_home>/state/default/config/client.config file to see in which mode this Agent Manager is running. If the property is True, it means this Agent Manager is FIPS-compliant, and vice versa. In case the property is not found, it means this Agent Manager is not FIPS-compliant as well.

CAUTION: Do NOT change the value of fips.approved.mode.enabled property, otherwise the Agent Manager won’t work with the Foglight Management Server if their FIPS-compliant modes are inconsistent.

CAUTION: As AIX is not listed on the Bouncy Castle FIPS support list, Foglight Agent Manager makes no statement as to the correct operation of the module or the security strengths of the generated keys if Agent Manager runs in AIX operating system.

When FIPS-compliant mode is enabled:

NOTE: Foglight Agent Manager running in FIPS-compliant mode only ensures that the cryptography used by Agent Manager meets the standard. However, to check if the agents running in Agent Manager are FIPS-compliant, refer to the relevant cartridge release notes.

Disclaimer

Quest Software Inc. has made every effort to ensure that the information provided in this document is accurate. However, Quest makes no representation about the content and suitability of this information for any purpose. This information may be modified by Quest at any time. Nothing contained herein shall be construed as a warranty, express or implied, regarding the operation of Quest Software Inc. products.

Security features for APM appliances

A Foglight® monitoring environment may include one or more physical appliances and/or virtual appliances used for application performance monitoring (APM). This describes the security features present on the appliances.

NOTE: If you are using Foglight Experience Monitor appliances and/or Foglight Experience Viewer appliances, this section does not apply. Review the guides provided with those products. For more information, see the Foglight Experience Monitor Security and Compliance Guide and the Foglight Experience Viewer Security and Compliance Guide.