Troubleshooting issues with FIPS mode
The given private key in the ECA configuration is in non-FIPS compliant PKCS1 format that causes the ECA configuration to fail.
Reason:
The PKCS1 format that is used to encrypt the private key uses MD5 algorithm, which is not a FIPS-compliant algorithm. Therefore, the ECA configuration fails in FIPS mode.
Sample log message:
PEM_read_PrivateKey failed to read private key from file[C:\eca\private\key-pkcs1_ENCRYPTED.pem]. Provided private key is not FIPS supported.
Solution:
Use the private key with the PKCS8 format.
This problem can occur if there is insufficient entropy on the host where the NetBackup Administration Console runs.
Entropy is the randomness collected by an operating system.
Reason:
The Java processes use /dev/random as a default character device to provide cryptographically secure random output in your NetBackup environment, which is the blocking call.
To check the status of entropy on the host where the NetBackup Administration Console runs, execute the following command. If the command returns the value less than 200, there is an entropy issue on that host.
cat /proc/sys/kernel/random/entropy_avail
Solution:
Set the USE_URANDOM option to 1 in the nbj.conf configuration file. The Java processes start using the /dev/urandom device.
This problem can occur if there is insufficient entropy on the host where the nbwmc service runs.
Entropy is the randomness collected by an operating system.
Reason:
The Java processes use /dev/random as a default character device to provide cryptographically secure random output in your NetBackup environment, which is the blocking call.
To check the status of entropy on the primary server, run the following command. If command returns value less than 200, there is a problem of entropy on that server.
cat /proc/sys/kernel/random/entropy_avail
Solution:
Set the USE_URANDOM option to 1 in the configuration file. The nbwmc service starts using the /dev/urandom device.
Reason:
If NetBackup CA or ECA hierarchy key size is less than 2048 or more than 3072 while you try to enable the FIPS mode.
Sample log message:
Attempt to use RSA key with non-approved size: 1024: RSA
Solution:
Reconfigure the NetBackup CA hierarchy and use a key size that is supported for FIPS mode - either 2048 bits or 3072 bits.