The official documentation recommends disabling FIPS mode on Windows.
This is not an option for my environment. Is there any way to use Insight Asset Discovery to enumerate Windows devices that are in FIPS mode?
I ran into this with the agent, I haven't tried using the WMI method yet.
Thanks in advance.
Hi,
where did you get that error when you are using the Windows-Agent?
The recommendation is for the Discovery-Tool or Collector-Tool
when starting the Setup the password and credential store encryption seems to be affected with the FIPS.
But the Windows-Agent doesn't have a password setting a setup or a credential store,
so it is not affected with that FIPS thing.
PS:
Latest documentation can be found here:
https://documentation.riada.io/display/INSDISC/Recommended+Information
Hi Christian,
Thanks for the tip.
I installed the Windows Agent from the Discovery_Agent_Setup.msi file per the instructions here:
The following message appears in log files that are generated in C:\Program Files\Riada\Discovery Agent\logs\
--------------- Start Discovery Agent (1.15.0.0) local scan ---------------
Error performing scan.
Exceptions:
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at Insight.Discovery.Tools.Crypter.GetMD5(String input) in c:\SourceCode\discovery_repo\DiscoTools\Crypter.cs:line 67
at Insight.Discovery.Agent.Const.<.cctor>b__0() in c:\SourceCode\discovery_repo\Discovery_Agent\Const.cs:line 15
at System.Lazy`1.CreateValue()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Lazy`1.get_Value()
at Insight.Discovery.Agent.Program.RunScan() in c:\SourceCode\discovery_repo\Discovery_Agent\Program.cs:line 245
Please advise, thanks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Okay,
that is.....bad....
For the Name of the service a hash is generated MD5 based.
And your FIPS Setting are not allowing MD5 to use....
That needs some investigation from our site to check and maybe replacing it with an FIPS accepted algorithm.
I have created a public ticket for that
https://jira.riada.io/browse/ID-85
// Christian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, is there any progress on that issue? I'm in the same situation and looking for a workaround.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.