Data Domain - FIPS configuration and best practices

authorization policy set security-officer enabled

# system fips-mode disable
# system fips-mode enable

The DD file system, SMS, Apache HTTP service, LDAP client, and SSH Daemon use FIPS 140-2 compliant algorithms when FIPS is enabled.
To enable FIPS compliance mode, run the following command: system fips-mode enable.
NOTE: Enabling or disabling FIPS compliance mode results in a system reboot and interrupts any ongoing backup or replication activities.
NOTE: Enabling FIPS mode invalidates all local users passwords. The passwords for sysadmin and one of the security officers are forced to change during enabling FIPS mode. 
The other local users require sysadmin to change their passwords for them by running user change password.
NOTE: All backup application using DD local users must restart the backups using new DD local user passwords. This is applicable for all protocols.
DDOS uses FIPS certified libraries including Dell OpenSSL Cryptographic Library, BSafe, Crypto J, Cert-J, and SSL-K.
● Dell OpenSSL Cryptographic Library v2.5
● EMC Crypto-C Micro Edition 4.1.4 cryptographic module
To disable FIPS compliance mode, run the following command: system fips-mode disable.

SSH ciphers, MACs, and key exchange algorithms

When FIPS is enabled:
● Only FIPS 140-2 approved SSH ciphers and MACs can be set. User roles admin and limited-admin can set the ciphers and
MACs, which can be configured by using the following command: adminaccess ssh option set ciphers
● The cipher list, MAC list, and KEX (key exchange algorithms) list in the SSHD configuration file sets to a default list of
FIPS-compliant ciphers, MACs, and KEXs. The old settings are lost.
When FIPS compliance mode is disabled, the cipher list, MAC list, and KEX (key exchange algorithms) list in SSHD configuration
file sets to the system default list of ciphers, MACs and KEXs. The old settings are lost.

The following ciphers are supported on systems, or DDVE running DDOS with FIPS enabled:
Ciphers, MACs, and key exchange algorithms

The cipher list can always be changed by running the adminaccess ssh options set ciphers command. 
When FIPS is enabled, users can only configure SSH service to use FIPS complaint SSH ciphers. 
If non-FIPS compliant ciphers are used, user would see an error. 

The MAC list can always be changed by running the adminaccess ssh options set macs command. 
When FIPS is enabled, users can only configure SSH service to use FIPS complaint SSH macs. 
If non-FIPS compliant macs are used, user would see an error.

HTTPS

HTTPS Apache service uses the same list of cipher as SMS.

Data at rest encryption

If Data At Rest Encryption is enabled, then it is FIPS-compliant by default.

TLS cipher-list for management communications and replication control path
In case of replication, data-path is FIPS-compliant when it is enabled with two-way authentication. If FIPS mode is enabled on
the destination DD system, then Replication will not be allowed from DD systems running DDOS versions prior to DDOS 7.0.
When FIPS mode is enabled, even if other ciphers were set with the adminaccess option set cipher-list command,
DDOS only uses FIPS-compliant ciphers for the following communication interfaces:
● For DDMC communications to managed DD-systems
● For Replication control path
● By the Data Domain System Management (GUI)
● For REST APIs
The cipher list can be configured with the adminaccess option set cipher-list command.

When FIPS is enabled, the LDAP client that runs on a system or DDVE must use TLS.
# authentication ldap ssl enable method start_tls
Otherwise, enabling FIPS compliance mode fails.
On a fresh install and upgrade, LDAP SSL ciphers are not explicitly set.
When FIPS compliance mode is enabled, the LDAP SSL ciphers are set to the following:

● ECDHE-RSA-AES256-GCM-SHA384
● ECDHE-RSA-AES256-SHA384
● DHE-RSA-AES256-GCM-SHA384
● DHE-RSA-AES256-SHA256
● AES256-GCM-SHA384
● AES256-SHA256
● ECDHE-RSA-AES128-GCM-SHA256
● ECDHE-RSA-AES128-SHA256
● DHE-RSA-AES128-GCM-SHA256
● DHE-RSA-AES128-SHA256
● AES128-GCM-SHA256
● AES128-SHA256

The configured cipher-list should be:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSAAES256-SHA256:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSAAES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:AES128-
SHA256
When FIPS is disabled, it is set to "", an empty string.

● The DD Boost client on that operating system must be version >=7.1.
● The password hash for users on all DD systems that this client connects to must be sha512. 
   This can be changed using the adminaccess option set password-hash sha512 CLI.

If FIPS mode is enabled on the operating system without either of the above configurations, all connections from this client to any DD system will fail.

DD Boost Client with FIPS mode enabled

When FIPS mode is enabled on the system, applications accessing the system using the DD Boost protocol should use version 7.3 of the DD Boost client libraries. This guarantees that operations are FIPS-compliant and use FIPS-compliant algorithms. Sometimes, the application may cause the DD Boost client libraries to enter FIPS mode if the application is FIPS aware and has been updated to enter FIPS mode in the client library. In that case not only will FIPS-compliant algorithms be used to but the implementations of those algorithms use FIPS certified libraries.

When FIPS mode is enabled, the passwords set on the system that is used by DD Boost to access the system must have hash SHA512 values. A user with a password with an MD5 hash will be unable to connect to a FIPS enabled system.

NOTE: The Boost client library an application uses must be version >=7.1 in order for the application to connect successfully to a DD system running a DDOS version >=7.1 with FIPS mode enabled. The DD Boost client library version that ships with an application is determined by the application provider. A list of all Boost clients that have connected to the DD system in the last 24 hours can be obtained from the ddboost show connections CLI. The Plugin Version column should be seen in order to determine whether any client with a Boost plug-in older than 7.1.x.x is currently connecting to this DD system. All such clients will fail to connect after FIPS mode is enabled on the DD system and must be upgraded. Check with the application vendor to determine the DD Boost client library version a specific application version uses to see if the application can be used with a DD system with FIPS mode enabled.

Telnet
Telnet is not FIPS-compliant and is disabled by default.

FTP/FTPS
FTP/FTPS is not FIPS-compliant and is disabled by default.

Active Directory
Active Directory is not FIPS-compliant.
Active Directory continues to work when it is configured and when FIPS is enabled.

CIFS
CIFS server on DDOS is agnostic to FIPS mode setting. Even if the customer enables FIPS mode, CIFS continues to work in
non-FIPS compliant mode.
To disable or stop CIFS from accepting any connections from the clients:sysadmin@localhost#

cifs disable

NFS
NFS is not FIPS-compliant.
● NFS continues to work in a non-FIPS compliant mode.
● NFS can be disabled with the nfs disable command.

Secure Connect Gateway (SCG)
SCG is a secure, two-way connection between Dell EMC products and Dell EMC Customer Support. SCG is disabled by default and continues to work in non-FIPS compliant mode.

DISA STIG standards

The system must use a FIPS 140-2 approved cryptographic
hashing algorithm for generating account password hashes.
Systems must employ cryptographic hashes for passwords
using the SHA-2 family of algorithms or FIPS 140-2 approved
successors. The use of unapproved algorithms may result in
weak password hashes more vulnerable to compromise.

NOTE: The DDOS Command Reference guide describes how to use the 

adminaccess option set password-hash {md5 | sha512}

command to set the FIPS 140-2-approved cryptographic hashing on the system. 

Changing the hash algorithm does not change
the hash value for any existing passwords. Any existing
passwords that were hashed with md5 will still have md5
hash values after changing the password-hash algorithm
to sha512. Those passwords must be reset so that a new
sha512 hash value is computed.

Externally signed certificates
Certificate authority (CA) is in public certificate (PEM) format to establish a trusted connection between the external entity and each system.
If the system uses the external key manager, it requires a PKCS12 host certificate and CA certificate in PEM (public key) format to establish a trusted connection between the external key manager server and each system that it manages.
The certificate signing requires PKCS10 format. The public certificate key can have either PKCS12 (public plus a private key) or PEM format. The host certificate PEM format is used only with the Certificate Signing Request (CSR) feature.
Individual host certificates can be imported for HTTPS and communication with external key manager.
Importing the host certificate in PKCS12 format is supported. If there is a CSR on the system, you can import the host certificate in PEM format after the CSR is signed by a Certificate Authority.
NOTE: The system passphrase is required to import the certificate.
On a FIPS enabled DD system, PKCS12 file must be FIPS-compliant. While encrypting PKCS12 file, compatible encryption algorithms must be used. We recommend using "PBE-SHA1-3DES" for encrypting key and certificate in PKCS12 file.

DD Encryption provides inline encryption, which means as data is being ingested, the stream is deduplicated, compressed, and encrypted using an encryption key before being written to the RAID group. DD Encryption software uses RSA BSAFE libraries, which are FIPS 140-2 validated.

Secure Connect Gateway (SCG)
Secure Connect Gateway is an IP-based automated connect home and remote support solution and creates both a unified architecture and a common point of access for remote support activities that are performed on the product. The SCG IP
Solution does the following:
● Provides continuous monitoring, diagnosis, and repair of minor hardware issues.
● Uses the most advanced encryption, authentication, audit, and authorization for ultra-high security remote support.
● Addresses compliance with corporate and governmental regulations by providing logs of all access events.
● Provides easy integration and configuration with the storage management network and firewalls.
● Provides maximum information infrastructure protection. IP-based sessions enable fast information transfer and resolution.
● Consolidates remote support for the information with the SCG Client.
● Provides remote access to the disaster recovery site and makes recovery from unplanned events seamless.
● Protects information in motion or at rest. AES 256 encryption during information transfer protects the information.
● Reduces costs and data center clutter and accelerates time to resolution. The elimination of modem/phone line costs translates to lower costs.
NOTE: SCG is not FIPS-compliant.
NOTE: Use of FTP or unsecure email while connecting to SCG could be a security risk.

Adding a cloud unit for Amazon Web Services S3

AWS offers a range of storage classes. The Cloud Providers Compatibility Matrix, available from E-Lab Navigator provides up-to-date information about the supported storage classes.

About this task
For enhanced security, the Cloud Tier feature uses Signature Version 4 for all AWS requests. Signature Version 4 signing is enabled by default.
The following endpoints are used by the AWS cloud provider, depending on storage class and region. Be sure that DNS is able to resolve these hostnames before configuring cloud units.

FIPS-compliant endpoints are available for AWS Government Cloud.

Starting in DDOS 7.8, the us-east-1 region no longer supports the legacy endpoint s3.amazonaws.com. The us-east-1 region now requires the endpoint s3.us-east-1.amazonaws.com. Verify the firewall is open to reach the new endpoint before upgrading to DDOS 7.8.

s3.fips.us-gov-west-1.amazonaws.com