To run Web Help Desk in FIPS compliance mode, we'll need:
- A server running the Microsoft Windows Server 64-bit operating system,
- Web Help Desk 12.4 or later, which you can download from the SolarWinds Customer Portal, or Solarwinds.com and
- Visual C++ Redistributible Packages for Visual Studio 2013, which is included with your Web Help Desk software.
For your convenience, the Visual C++ Redistributable Packages for Visual Studio 2013 software can be found in the Web Help Desk installation folder, located at C:\Program Files\WebHelpDesk by default. To install the software, open the WebHelpDesk directory, double-click the vcredist_64.exe file, and follow the prompts on your screen to install the software.
Next, we'll need to update the Windows Path Environment Variable. Navigate to the Control Panel and select System and Security, System, and then Advanced System Settings. Here, you can see the System Properties dialog box with a button for Environment Variables at the bottom of the box. Let's select that and find the Path variable that we need to update.
Now that we've opened the Path variable dialog box, we'll update this box with the path to the Web Help Desk security libraries. At the front of the Variable value text box, enter the location of your the libraries within your Web Help Desk installation. Here, we'll use our default location.
Next, select OK to close the dialog boxes, and then close the System window.
After updating the Path variable, we'll need to stop Web Help Desk before we go any further. Let’s open the Command Prompt in Admin Mode to do this. This step can vary based on your Windows version. In general, you right click the Command Prompt icon and select ‘Run as Administrator’. We’ll be using the Command Prompt to complete the next few steps.
To stop Web Help Desk, we'll need to open the installation folder. By default, this folder is the Web Help Desk folder under Program Files. From here, type in WHD_Stop.bat and select Enter. This will stop Web Help Desk. Be advised this step may take a few moments to complete.
In Windows Explorer, we'll need to copy and paste some preconfigured files from one section of our installation to another. Let’s browse to our installation folder, and then to:
\conf\additional\fips-140-2\webhelpdesk - clean install
Here, we'll find two folders. We'll copy these folders, go back to the root of our Web Help Desk installation, and paste them in the WebHelpDesk folder. If you’re prompted to overwrite some of the files, go ahead and select OK. Next, we need to update the Windows HOSTS file. In this example, I want the system to properly resolve my hostname of helpdesk to the local IP address of the system. We’ll do this by opening the HOSTS file, adding the IP address plus the hostname, and saving the file. Note that helpdesk.local will also be the hostname we use to create a certificate later on.
Now that we saved the HOSTS file, we'll update the WHD.conf file—the main configuration file for Web Help Desk. In the command prompt window, change directories to your installation location, and this time open the
conf directory. From here, you can use notepad to open the file.
We'll need to update a few items here.
First, we need to ensure that the HTTPS port is enabled. So we'll scroll down to HTTPS_PORT, uncomment the line, and then make sure our port setting is what we want. In this case, we want port 443.
Next, we'll scroll down to the Privileged Networks section. In our example today, we want to allow any user in the local network to perform updates, but nothing else. So we'll enter our privileged network as: 192.168.2.0/24
This configuration only allows browsers connecting from this IP range to access Web Help Desk and update the Web Help Desk database.
Since we're using the default installation folder, we can close out the configuration file and create a certificate. If we had a different installation folder, we would use the procedures in the Admin Guide which outlines a few other files that need to be updated.
Next, we'll generate a new certificate. We'll go through the steps for users who want to work with a self-signed certificate, but we'll reference the steps in the Admin Guide for users who want to use a commercial certificate.
For this step, we’ve provided the commands you'll need to run in two different spots, using the Admin Guide as well as a file within the installation folders for Web Help Desk. The Admin Guide is a great place for reference, but rather than copying and pasting the commands from a PDF copy, we'lll copy the code from the copy-paste.txt file located in this folder:
C:\program files\webhelpdesk\conf\additional\fips-140-2\
Let’s open this text file with Microsoft Wordpad rather than notepad. This makes the formatting a bit easier to work with.
With the file open, there are a few things to edit. Our example has
CN=mywebhelpdesk.mydomain for the host. But if you remember earlier, we chose the hostname helpdesk.local to associate with this server. So let’s update that now for each of the commands we need to run.
When that’s done, go back to the command prompt and go to
C:\program files\webhelpdesk\bin\nss-x64\bin\
From here, you can copy and paste the commands to run directly into the command prompt—one at a time.
You’ll be prompted for responses in each case, and in some cases you;'ll have to enter a password for the NSS database that stores the certificate info. The default password we're using in this example is
P@ssw0rd
That’s an upper case P, the at symbol, two lower case s characters, a lower case w, the number zero, and a lower case r followed by a lower case d. We recommend to change this password later.
With a success message at the end of the fourth command, we can restart Web Help Desk by returning to our installation directory and running:
WHD_Start.bat
Notice that the installation now indicates we’re running in FIPS mode. We can now continue selecting ourdatabase of choice in the Getting Started Wizard and finish installation normally.
We will skip this part for now. Lets take a look at our settings after the installation is complete. Go to Settings, General, and Authentication. We'll scroll down a bit, and notice that we have a Green indicator for FIPS. That means we're all set to go.