Configure LogRhythm DPAWC

This section explains how to configure the LogRhythm DPAWC (Data Processor, Platform Manager, AIE, Web Console) to run in FIPS mode and communicate with the LogRhythm DX machine using FIPs-approved algorithms.

Prerequisites

• Create Windows service accounts for the LogRhythm core services. This is required when running in FIPS-approved mode. For more information, see Configure User Access Control for FIPS Mode.

Configure the Windows OS for FIPS Mode

Configuring Windows for FIPS mode ensures all .NET services and SQL server uses only FIPS-approved encryption algorithms.

1. Log on to Windows as a Windows system administrator.
2. Click Start, Control Panel, and Administrative Tools.
3. Click Local Security Policy.  
4. The Local Security Settings window appears.
5. In the navigation pane, click Local Policies, and then click Security Options.
6. In the right-side pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
7. In the dialog box that appears, click Enabled, and then click Apply.
8. Click OK.
9. Close the Local Security Settings window.
10. Restart the computer for the change to take affect.

Download and Install the LogRhythm FIPS Package

1. Download the LogRhythm FIPS package (lrdpawc_fips.zip), available on the LogRhythm Community.

   

   The package consists of several applications that are required for running the LogRhythm in FIPS mode.

2. Create the directory C:\Program Files\LogRhythm\LogRhythm FIPS (with one space between LogRhythm and FIPS).
3. Unzip the contents of lrdpawc_fips.zip into that directory.
   The package contains:
   
   • LogRhythm stunnel application and configuration files – stunnel.exe and lrdpawc_stunnel.conf.
   • LogRhythm Mediator Server FIPS SIT file – scmedsvr_fips.hsh
   • OpenSSL 1.0.2u with FIPS Module 2.0.16 - libeay32.dll and ssleay32.dll. This application is by stunnel and lrsitapp.exe.

4. Copy the FIPS version of the Mediator SIT file (scmedsvr_fips.hsh) file to C:\Program Files\LogRhythm\LogRhythm Mediator Server and rename it scmedsvr.hsh.
   

   

   Each LogRhythm service will indicate it is operating in FIPS-approved mode in its respective application log.

Configure the Stunnel Solution for Data Indexer Communications

The LogRhythm services use stunnel to encrypt the DX/DPAWC communications using FIPS-approved algorithms.

1. Edit the stunnel configuration file C:\Program Files\LogRhythm\LogRhythm FIPS\lrdpawc_stunnel.conf:
   
   • Change all instances of LR_DPAWC_IPADDRESS to the IP address of the LR DPAWC machine.
   • Change all instances of LR_DX_IPADDRESS to the IP address of the LR DX machine.
2. Create the stunnel client and server certificates using your organization's Certificate Authority or the Red Hat 7 system's OpenSSL application:
   
   • Copy the lr_stunnel.pem file to C:\Program Files\LogRhythm\LogRhythm FIPS\lr_stunnel.pem.
3. Start stunnel:
   
   • C:\Program Files\LogRhythm\LogRhythm FIPS\stunnel.exe
   • C:\Program Files\LogRhythm\LogRhythm FIPS\lrdpawc_stunnel.conf
   

   You must manually start stunnel each time the machine restarts.

Configure the LogRhythm API Gateway to Use the Stunnel Solution

Configuring the LogRhythm API Gateway involves setting the following system environment variables for the LogRhythm Service Registry to use:

To set the environment variables:

1. Open Windows System Properties. 
   The System Properties dialog box appears.
2. Click the Advanced tab, and then click Environment Variables.
   The Environment Variables dialog box appears.

3. In the System Variables section, set the following variables to the specified values:

   Variable	Value
   FIPS_GATEWAY_ENABLED	true
   FIPS_GATEWAY_IP	DPAWC_IPADDRESS
   FIPS_GATEWAY_PORT	8502

4. Restart the LogRhythm API Gateway service.

5. Restart all the LogRhythm services and the SQL server service.

   

   Each LogRhythm service will indicate it is operating in FIPS-approved mode in its respective application log.