Configure FIPS with XenMobile 编辑

Federal Information Processing Standards (FIPS) mode in XenMobile supports U.S. federal government customers by using only FIPS 140-2 certified libraries for all encryption operations. Installing your XenMobile Server with FIPS mode ensures that all data for the XenMobile client and server are fully compliant with FIPS 140-2. That compliance applies to data at rest and data in transit.

Before installing a XenMobile Server in FIPS mode, complete the following prerequisites.

  • Use an external SQL Server 2014 for the XenMobile database. The SQL Server also must be configured for secure SSL communication. For instructions on configuring secure SSL communication to SQL Server, see Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager).

  • Secure SSL communication requires that you install a trusted SSL certificate from a well-known certificate authority (CA) on your SQL Server. Be aware that SQL Server 2014 cannot accept a wildcard certificate. Citrix recommends, therefore, that you request an SSL certificate with the FQDN of the SQL Server.

Configuring FIPS mode

You can enable FIPS mode only during the initial setup of XenMobile Server. It is not possible to enable FIPS after installation is complete. Therefore, if you plan on using FIPS mode, you must install the XenMobile Server with FIPS mode from the start. Also, for XenMobile clusters, all cluster nodes must have FIPS enabled. You cannot have a mix of FIPS and non-FIPS XenMobile Servers in the same cluster.

There is a Toggle FIPS mode option in the XenMobile command-line interface that is not for production use. This option is intended for non-production, diagnostic use and is not supported on a production XenMobile Server.

  1. During initial setup, enable FIPS mode.

  2. Upload the root CA certificate for your SQL Server.

  3. Specify the server name and port of your SQL Server, the credentials for logging into SQL Server, and the database name to create for XenMobile.

    Note:

    You can use either a SQL logon or an Active Directory account to access SQL Server, but the logon you use must have the DBcreator role.

  4. To use an Active Directory account, enter the credentials in the format domain\username.

  5. Once these steps are complete, proceed with the XenMobile initial setup.

To confirm that the configuration of FIPS mode is successful, log on to the XenMobile command-line interface. The phrase In FIPS Compliant Mode appears in the logon banner.

Importing Certificates

The following procedure describes how to configure FIPS on XenMobile by importing the certificate, which is required when you use a VMware hypervisor.

SQL Prerequisites

  1. The connection to the SQL instance from XenMobile must be secure and must be SQL Server version 2012 or SQL Server 2014. To secure the connection, see How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console.

  2. If the service does not restart properly, check the following: Open Services.msc.

    1. Copy the logon account information used for the SQL Server service.

    2. Open MMC.exe on the SQL Server.

    3. Go to File > Add/Remove Snap-in and then double-click the certificates item to add the certificates snap-in. Select the computer account and local computer in the two pages on the wizard.

    4. Click OK.

    5. Expand Certificates (Local Computer) > Personal > Certificates and find the imported SSL certificate.

    6. Right-click the imported certificate (selected in the SQL Server Configuration Manager) and then click All Tasks > Manage Private Keys.

    7. Under Group or User names, click Add.

    8. Enter the SQL service account name you copied in the earlier step.

    9. Clear the Allow Full Control option. By default the service account will be given both Full control and Read permissions, but it only needs to be able to read the private key.

    10. Close MMC and start the SQL service.

  3. Ensure the SQL service is started correctly.

Internet Information Services (IIS) Prerequisites

  1. Download the root certificate (base 64).

  2. Copy the root certificate to the default site on the IIS server, C:\inetpub\wwwroot.

  3. Check the Authentication check box for the default site.

  4. Set Anonymous to enabled.

  5. Select the Failed Request Tracking rules check box.

  6. Ensure that .cer is not blocked.

  7. Browse to the location of the .cer in a web browser from the local server, https://localhost/certname.cer. The root cert text appears in the browser.

  8. If the root cert does not appear in your web browser, ensure that ASP is enabled on the IIS server as follows.

    1. Open Server Manager.

    2. Navigate to the wizard in Manage > Add Roles and Features.

    3. In the server roles, expand Web Server (IIS), expand Web Server, expand Application Development, and then select ASP.

    4. Click Next until the install completes.

  9. Browse to https://localhost/cert.cer.

    For more information, see Web Server (IIS).

    Note:

    You can use the IIS instance of the CA for this procedure.

Importing the Root Certificate During Initial FIPS Configuration

When you complete the steps to configure XenMobile for the first time in the command-line console, you must complete these settings to import the root certificate. For details on the installation steps, see Installing XenMobile.

  • Enable FIPS: Yes
  • Upload Root Certificate: Yes
  • Copy(c) or Import(i): i
  • Enter HTTP URL to import: https://<FQDN of IIS server>/cert.cer
  • Server: FQDN of SQL Server
  • Port: 1433
  • User name: Service account which can create the database (domain\username).
  • Password: The password for the service account.
  • Database Name: A name of your choice.

Enable FIPS mode on mobile devices

By default, FIPS mode is disabled on mobile devices. To enable FIPS mode, go to Settings > Client Properties, edit the Enable FIPS Mode property, and set the value to true. For more information, see Client properties.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:4 次

字数:8858

最后编辑:6 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文