Federal Information Processing Standards (FIPS) is established by the US government to enhance the security posture of organizations. It provides guidelines and best practices for securing data, employing strong cryptographic methods, and implementing key management systems. FIPS compliance is required for all US federal agencies and contractors handling sensitive information, as it helps mitigate potential security vulnerabilities and defend against cyber threats.
ServiceDesk Plus operates in FIPS mode to comply with US government standards. Enabling FIPS mode ensures that ServiceDesk Plus is FIPS 140-2 compliant and uses only FIPS-validated algorithms.
Secure Communications: Enabling FIPS compliance will disable HTTP support in ServiceDesk Plus and enforce HTTPS. This ensures that data transfers between any client and ServiceDesk Plus occur over a secure and encrypted channel.
FIPS-Compliant Checksum/Hashing Algorithms: All checksum validation algorithms in ServiceDesk Plus will be performed by FIPS standards. MD5 and SHA-1 hashing algorithms, which are not FIPS compliant, will be restricted.
Restriction on PKCS12 Certificates: ServiceDesk Plus will no longer support PKCS12 (PFX) certificates. Users should employ alternative certificate formats that comply with FIPS security guidelines. This restriction ensures that certificate operations align with the required security protocols.
SAML Algorithm Changes: If SAML was enabled before ServiceDesk Plus version 14840, switching to FIPS mode will change the Service Provider's certificate algorithm. This will affect SAML login (if response signing is enabled for IdP) and logout (if single logout is configured). After enabling FIPS mode, the new certificate will be saved in <server_home>/conf/SamlCertUpgrade/sdp_public_new.cer. This certificate must be uploaded to your Identity Provider to restore SAML functionalities.
Please refer to the prerequisites and limitations before enabling FIPS mode.
Ensure that you start and stop the application before enabling FIPS mode. Additionally, take a backup of the application before configuring FIPS.
Refer to the following steps to configure FIPS:
For Windows, open the command prompt in the <server_installed_directory>bin folder with admin privileges. For Linux, open the terminal.
Execute the ConfigureFIPSMode.bat file for Windows or sh ConfigureFIPSMode.sh for Linux. Refer here for troubleshooting.
Start the server.
LDAP SSL Configuration for AD Domains: Ensure LDAP connections use SSL. You can modify LDAP SSL settings for existing Active Directory domains in ServiceDesk Plus, under Active Directory > Import User(s) from Active Directory and/or LDAP in ESM Directory or Admin settings.
HTTPS Protocol for Integrations: Ensure all integrations in ServiceDesk Plus use HTTPS. If any integrations were previously configured with HTTP, they must be re-configured using HTTPS to ensure secure communication.
UEM Integrations: Update existing UEM application integrated with ServiceDesk Plus to version 11.3.2410.01 or above. For more details, visit ManageEngine Endpoint Central.
Remote Server Configurations: All remote servers connected to the central server must be configured for FIPS mode to ensure secure communication between all servers. Follow these steps to configure FIPS mode on all remote servers.
SQL Server Prerequisites: Use SQL Server version 2016 or higher. It is recommended that FIPS mode be activated in the SQL server. Refer to these steps to configure the SQL server with SSL before configuring FIPS compliance in ServiceDesk Plus.
Postgres Password: The Postgres user password should contain more than 15 characters. Follow these steps to retrieve your Postgres password. Update the Postgres password using these instructions.
ServiceDesk Plus does not support FIPS mode during a cold start. Start and stop the application at least once with the database populated to activate FIPS mode.
External PgSQL is not supported in FIPS mode. Only the bundled PgSQL and SQL servers with SSL are compatible.
All integrations and outgoing connections (e.g., mail, LDAP, AD, custom functions) from the ServiceDesk Plus application server must be configured securely (HTTPS, SMTPS, LDAPS) by the SDAdmin to comply with FIPS requirements.
Although MD5 and Bcrypt are FIPS non-compliant, ServiceDesk Plus uses them for first-time user logins after FIPS mode is enabled.
|
Error/Warning |
Solution |
Troubleshooting |
|
FIPS configuration script failed to execute. FIPS is not supported for SQL servers without SSL. |
Enable SSL in SQL Server and perform the FIPS configuration. |
Follow these steps to enable SSL. |
|
FIPS configuration script failed to execute. ServiceDesk Plus is not running in HTTPS mode. |
Enable HTTPS in ServiceDesk Plus and perform the FIPS configuration. |
FIPS mode does not support HTTP. Refer here to change to HTTPS. |
|
FIPS is not supported in cold start. |
Start and stop the application once before running the FIPS script. |
- |
|
PKIX path building failed due to an untrusted certificate. |
Kindly install a valid SSL certificate in the database or manually add the untrusted certificate to the application's truststore. Learn more. |
Follow these steps to add an untrusted certificate to the application's truststore. |
|
Failed to validate the server name in SSL handshake. |
Kindly configure a hostname that is compliant with the subject alternative name of the SSL certificate presented by the database server. |
The Subject Alternative Name (SAN) in the SSL certificate configured for the SQL server must match the hostname used to connect to the SQL Server.
If the SAN does not match, you can either regenerate the certificate and reconfigure it in SQL Server or add a DNS entry that complies with the SAN. |
|
FIPS is not supported with External PostgreSQL. |
Please migrate the application database to SQL Server or bundled PostgreSQL for FIPS mode. |
Refer to this documentation to configure MSSQL or bundled PGSQL.
Refer here to migrate existing data. |
|
FIPS configuration script executed successfully but could not update run.bat/run.sh file to include FIPS jars. |
Please update the run.bat/run.sh file to include FIPS jars manually. |
Contact our support team for more details. |
|
UEM service Integrated is not compatible. |
Your UEM is outdated. To configure FIPS, please update to 11.3.2410.01 (EXE NL build that supports user activation and new algorithm) or above. |
To upgrade the UEM version, refer to this link. |
|
Remote server is connected with the central server. Please configure FIPS for remote servers. |
FIPS might not be configured in the remote server. |
Follow these steps to configure FIPS mode on all remote servers. |
|
SAML Service Provider certificate algorithm has been updated. SAML login/logout functionality may be affected. |
Upload the certificate from <path/to/cert/> to your Identity Provider to restore SAML functionality. |
If you are unsure where to download and upload the certificate, refer to this documentation.
|
|
Postgres database password for user sdpadmin is less than 16 characters. |
Update the password to be more than or equal to 16 characters using changeDBPassword to make it FIPS compatible and run the script again. |
Follow these steps to retrieve your Postgres password.
Change the Postgres password using these pointers. |
|
Cold Start was not completed successfully, so the FIPS script cannot be executed. |
Please reinitialize the application and run the FIPS script. |
Restart the application. If the FIPs script fails again, contact support. |
|
Migration invoked/failed and so FIPS script cannot be executed. |
Migration Invoked/Failed, and so FIPS script cannot be executed. |
Contact our support team for more details. |
|
Application is currently running so FIPS mode cannot be executed. |
Please stop the application and run the FIPS script. |
Refer here to shut down the server. |
For issues or queries related to FIPS compliance in ServiceDesk Plus, please reach out to our support team.