Fidelis Network Common Criteria Configuration Guide Version 9.0.3
cat sha256
4. If the hash values agree, upload the package on the K2 using the File Management configuration in
System / Version Control.
The installation package is uploaded to the File Management page and the policy updates are
uploaded to Policies / Insight / Air Gap Upload.
The TOE calculates the SHA256 hash and displays it to the administrator.
5. If the hash values agree; initiate installation to the distributed components from the K2.
K2 will copy the package to the desired component.
When the package reaches the intended component, the component will then be shut down, the
update installed, and restored to functionality at the new version.
Components that are not subject of the update (other than K2) are functional during update of other
components. K2 Management Console is unavailable while updates are in progress.
In case of component update failure, automatic roll-back action performed by the component and the
error message posted on K2. Depending on the type of failure, user can take appropriate action. For
example, redownload the update tar file in case of hash verification check failure.
Power on Self Tests and Process Manager
Each system daemon that utilizes Cryptographic Module of the component, openssl-1.0.1e-fips, performs
Power on Self-Test (POST) upon initialization. In case of POST failure, the process or service will fail to
initialize, and the Cryptographic Module initialization failure messages are entered in
, for example:
Jun 3 23:01:01 linux90s db_maint.log[9313]: Error getting system time from, output tcp_cli_init
: error initializing ssl library
Jun 3 23:01:01 linux90s , error fips.c(143): OpenSSL internal error,
Jun 3 23:01:01 linux90s db_maint.log[9313]: Error getting system time from, output tcp_cli_init: error initializing ssl library
Jun 3 23:01:01 linux90s , error fips.c(143): OpenSSL internal error,
The POST failure messages include identification of the distributed component (“linux90s” in the example
above) that sustained the failure.
WARNING: In case of fatal POST failures, contact Fidelis Support immediately.
The process manager service checks the binary integrity of every Fidelis daemon dedicated to the
primary security function of the product before it starts any of them. If a single integrity check fails,
process manager aborts, none of the daemons will be started, and the event will be logged in
/var/log/messages, for example:
Aug 12 08:14:23 linux76 pman[29765]: "/FSS/sbin/spoold": wrong checksum
Aug 12 08:14:23 linux76 pman[29765]: Giving up.