Client Automation Security Features › FIPS-Compliant Cryptography › How to Switch to FIPS-Preferred Mode

How to Switch to FIPS-Preferred Mode

In rare circumstances, you may need Client Automation to communicate with components that are not FIPS-compliant, a legacy agent for example, after you have switched the infrastructure to FIPS-only mode. As FIPS-only mode does not support backward compatibility, you need to switch it back to FIPS‑preferred mode.

The following process describes the steps for switching your infrastructure to FIPS‑preferred mode:

Note: The steps pertaining to an enterprise manager apply only if you have a Client Automation enterprise manager in your environment.

1. Modify the default configuration policy on the enterprise manager to switch to the FIPS-preferred mode.

   Note: Changing the FIPS mode through custom configuration policies is not recommended.

2. Check the Event Log on the enterprise manager to verify that the policy has been successfully replicated to all the domain managers.
3. If you do not have an enterprise manager, modify the default configuration policy on all the domain managers to switch to the FIPS-preferred mode.

   Note: You must restart CAF for the FIPS mode to take effect. You must have restarted CAF at least on the enterprise or domain manager before you run the conversion utility on it; otherwise, the conversion utility will fail.

4. Run the conversion utility on the enterprise manager to convert global OSIM parameters to backward compatible format.
5. Check the Event Log on the enterprise manager to verify that the policy has been successfully replicated to all the domain managers.
6. Run the conversion utility on the domain managers to convert local OSIM parameters to backward compatible format.

More information:

Supported FIPS Modes

Run the Conversion Utility

Modify the Configuration Policy to Change the FIPS Mode