How to Use FIPS Compliant Algorithms

 

Updated: May 13, 2016

Applies To: System Center 2012 R2 Operations Manager, System Center 2012 - Operations Manager, System Center 2012 SP1 - Operations Manager

System Center 2012 – Operations Manager can use Federal Information Processing Standard (FIPS) compliant algorithms. A FIPS compliant algorithm is included on your installation media. After you install it, you need to manually edit several configuration files.

In order to use algorithms that are FIPS compliant, follow these steps for all Operations Manager server components.

  • Install Microsoft.EnterpriseManagement.Cryptography.dll.

  • Edit several instances of the machine.config file.

For systems that host a web console, also do the following steps.

  • Edit the WebHost\web.config file.

  • Edit the MonitoringView\web.config file.

You need the Global Assembly Cache Tool, gacutil.exe. This utility is part of the Windows SDK. For more information, see Gacutil.exe (Global Assembly Cache Tool).

To install the cryptography DLL

  1. On the system hosting the web console, use the Run as Administrator option to open a Command Prompt window.

  2. Change directories to the SupportTools directory of your installation media, and then change directory as appropriate to your platform: AMD64 or i386.

  3. Run the following gacutil command:

    gacutil.exe –i Microsoft.EnterpriseManagement.Cryptography.dll
    

To edit the machine.config files

  1. Use a plain text editor to open the following machine.config file:

    %WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config

  2. Add the following content:

    <mscorlib>
        <cryptographySettings>
            <cryptoNameMapping>
                <cryptoClasses>
                    <cryptoClass SHA256CSP="System.Security.Cryptography.SHA256CryptoServiceProvider, System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                    <cryptoClass HMACSHA256CSP ="Microsoft.EnterpriseManagement.Cryptography.HMACSHA256, Microsoft.EnterpriseManagement.Cryptography, Version=7.0.5000.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
                </cryptoClasses>
                <nameEntry name="SHA256" class="SHA256CSP"/>
                <nameEntry name="HMACSHA256" class="HMACSHA256CSP"/>  
            </cryptoNameMapping>
        </cryptographySettings>
    </mscorlib>
    
    

    Save and close the file when finished.

  3. Repeat the preceding step on the following files:

    %WinDir%\Microsoft.NET\Framework\v4.0.30319\Config\machine.config

    %WinDir%\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config

To edit the web.config file in WebHost

  1. Use a plain text editor to open the following web.config file:

    C:\Program Files\System Center 2012\Operations Manager\WebConsole\WebHost\web.config

  2. In the <encryption> element, add the following element:

    <symmetricAlgorithm  iv="SHA256"/>
    
    
  3. In the <connection autoSignIn="true" autoSignOutInterval="30"> element, in the <session> tag, add the following attribute: tokenAlgorithm="SHA256".

    <connection autoSignIn="True" autoSignOutInterval="30">
    <session encryptionKey="SessionEncryptionKey" tokenAlgorithm="SHA256">
    
  4. Save and close the file.

To edit the web.config file in MonitoringView

  1. Use a plain text editor to open the web.config files in the following two locations and complete the next set of steps in each location:

    1. C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config

    2. C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\web.config

    System_CAPS_warningWarning

    Enabling FIPS is a significant change to the system configuration. There are potential side effects. Please see this KB article, and the Cause section of this KB article for more information.

  2. In the <encryption> element, add the following element:

    <symmetricAlgorithm  iv="SHA256"/>
    
    
  3. In the <connection autoSignIn="true" autoSignOutInterval="30"> element, in the <session> tag, add the following attribute: tokenAlgorithm="SHA256".

    <connection autoSignIn="True" autoSignOutInterval="30">
    <session encryptionKey="SessionEncryptionKey" tokenAlgorithm="SHA256">
    
  4. In the <system.web> element, add the following element:

    <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
    
    
  5. Save and close the file.

Show: