Solve On-Premises 8.7 FIP Connection Error
    • Dark
      Light
    • PDF

    Solve On-Premises 8.7 FIP Connection Error

    • Dark
      Light
    • PDF

    Article summary

    Version 8.7 introduces changes that can cause Solve On-Premises (SOP) to fail when FIPS is re-enabled. If you experience this issue, read the following article to learn how to enable FIPS for IIS and restore SOP functionality.

    Problem

    After you install COP and SOP version 8.7, you receive the following error when you try to access Solve:

    image.png

    image.png

    From Monitors in Settings, you can see the following error:

    Solve connection failed. Please check if the required port (443) is open and proxy settings are configured correctly
    image.png

    In the UserManagementService.log under the path C:\Program Files\ControlUp Inc\ControlUp Server\WebApps\UserManagementService\8_WS, you can see the following log entry:

    2023-03-02 11:44:57,971|28| (null)|Un:(null)|(null)|3968|3/2/2023 11:37:01 AM|ERROR|AesHandler FAILED to encrypt data. | System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
       at System.Security.Cryptography.RijndaelManaged..ctor()
       at SmartX.UMPrivateCloud.ServerLib.AesHandler.Encrypt(String dataToEnc, Byte[] key, Byte[] iv)
    

    Solution

    If you encounter the issue described above, perform the following steps:

    1. From Monitors in Settings, right-click on the Site/Monitor column and click Stop all Monitors.
    2. Close all ControlUp consoles.
    3. Launch the Command Prompt on the COP Server as an administrator and run the following command:
      IISRESET /stop
      
    4. Open Services and stop the ControlUp LDAP Directory Service (ControlUp-LDS) and ControlUp Incidents Service.
    5. Create a configuration file named "noFipsWeb.config" under the path C:\inetpub\AppPoolClrConfig. If the folder does not exist, create it. Copy and paste the following content to the file:
      <configuration>
        <runtime>
          <enforceFIPSPolicy enabled="false" />
        </runtime>
      </configuration>
      
    6. To grant read permissions to the App Pool's identity for the "noFipsWeb.config" file, replace the text <DOMAIN\USERNAME> with your organization's domain and LDS Service username. Run all of the following commands simultaneously on the COP Server:
      icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "DOMAIN\USERNAME":(R)
      icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\8_WS.Pool":(R)
      icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\ConfigurationPool":(R)
      icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\DefaultAppPool":(R)
      icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\HandshakePool":(R)
      icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\IncidentsReporterPool":(R)
      icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\IncidentsViewerPool":(R)
      icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\InstructionsPool":(R)
      icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\MasterPool":(R)
      icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\RealTimeStatsPool":(R)
      icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\SBAPool":(R)
      icacls c:\inetpub\AppPoolClrConfig\noFipsWeb.config /grant "IIS APPPOOL\UploaderPool":(R)
      
    Tip

    If your organization has a separate user for SQL, add a second line below the first line, and replace the text <DOMAIN\USERNAME> on the second line with your organization's domain and the user's username.

    1. To load the configuration file, configure the App Pool's CLRConfigFile property by running all of the following commands simultaneously on the COP Server:
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='8_WS.Pool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='8_WS.Pool'].managedRuntimeLoader:""  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='ConfigurationPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='ConfigurationPool'].managedRuntimeLoader:""  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='DefaultAppPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='DefaultAppPool'].managedRuntimeLoader:""  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='HandshakePool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='HandshakePool'].managedRuntimeLoader:""  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='IncidentsReporterPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='IncidentsReporterPool'].managedRuntimeLoader:""  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='IncidentsViewerPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='IncidentsViewerPool'].managedRuntimeLoader:""  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='InstructionsPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='InstructionsPool'].managedRuntimeLoader:""  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='MasterPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='MasterPool'].managedRuntimeLoader:""  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='RealTimeStatsPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='RealTimeStatsPool'].managedRuntimeLoader:""  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='SBAPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='SBAPool'].managedRuntimeLoader:""  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='UploaderPool'].CLRConfigFile:"c:\inetpub\AppPoolClrConfig\noFipsWeb.config"  /commit:apphost
      %windir%\System32\inetsrv\appcmd.exe set config  -section:system.applicationHost/applicationPools /[name='UploaderPool'].managedRuntimeLoader:""  /commit:apphost
      
    2. Open Computer Management and add the ControlUp-LDS service account to the IIS_IUSRS local user group in the COP Server. If the SQL Service account differs from LDS, add both service accounts to the group.
      image.png
    3. Open Services and start ControlUp-LDS and ControlUp Incidents Service. Reset IIS by running the following command:
          iisreset
      
    4. Open a ControlUp console. From Monitors in Settings, right-click on the Site/Monitor column and click Start all Monitors. Open SOP to confirm restored functionality.
    Tip

    If you don't have permission to access Solve, read Solve On-Premises: Replace Certificate.


    Was this article helpful?