Client Automation Security Features › FIPS-Compliant Cryptography › Modify the Configuration Policy to Change the FIPS Mode

Modify the Configuration Policy to Change the FIPS Mode

You must modify the FIPS-related policies in the default configuration policy to change the FIPS mode of your Client Automation infrastructure. These policies determine the FIPS mode you want to switch to and the action to take before switching the FIPS modes.

If you have an enterprise manager, perform the following steps on the enterprise manager. The policy changes, in this case, are automatically propagated to all the associated domain managers, scalability servers, and agents. If you do not have an enterprise manager, perform the following steps on all the domain managers.

Note: Perform this task only if the FIPS mode of the manager is FIPS-Preferred (Ready for FIPS‑Only).

To modify the configuration policy to change the FIPS mode

1. Navigate to Control Panel, Configuration Policy, right-click Default Configuration Policy, and click Un-Seal.

   The policy is unsealed and is ready for updates.

   Note: Changing the FIPS mode through custom configuration policies is not recommended.

2. Navigate to DSM, Common Components, Security, FIPS 140 Settings and modify the following policies:

   FIPS 140 Setting

   Defines the FIPS compliance level. Modify this setting to specify the FIPS mode you want to switch to.

   Change action

   Defines the actions to take when the FIPS 140 setting is changed.

   Note: For more information about the policy values for these settings, see the DSM Explorer Help.

3. Seal the policy on the manager. For more information about sealing the policy, see the Configuration Policy section of the DSM Explorer Help.

   The policy changes are propagated to all the associated DSM components. This process takes sometime depending on the size of your Client Automation infrastructure.

4. Change the FIPS mode of the following components manually as the policy changes will not be automatically propagated to these components:
   • Stand-alone remote control agents
   • Unmanaged DSM agents on the enterprise manager

     Note: An unmanaged agent is the one which is not linked to any domain manager. If you link the unmanaged agent to a domain manager subsequently, the FIPS mode of the agent will be overridden by the FIPS mode of the domain manager.

   To change the FIPS mode manually, use the following command:

   ccnfcmda -cmd setparametervalue -ps /itrm/common/security/fips140 -pn installmode -v FIPS_MODE
   

   FIPS_MODE

   Specifies the FIPS mode. Specify 1 for the FIPS-preferred mode and 2 for the FIPS-only mode.

   When the command is successfully executed, the specified FIPS mode is set on the agent.

   Note: Stand-alone DSM Explorer and DSM Reporter do not require any specific configuration as the DSM agent is always installed along with the stand‑alone installation of these two components. The agents automatically receive the policy update from the manager in this case.

5. Execute the following command on all DSM components, if you have not modified the Change action policy default setting or you have set it to "Switch FIPS mode on next restart of ITCM":

   caf stop
   caf start
   

   After the caf restarts, the manager operates in the new FIPS mode.

6. Restart all the instances of DSM Explorer, DSM Reporter, and Web Console.

   The updated FIPS mode is now available in the GUI.

7. Verify that the FIPS mode of the agents and managers are changed to the required FIPS mode.

   The verification helps ensure that the switch is successful.

   Note: If the conversion utility is not executed successfully, the FIPS mode of the manager remains as FIPS-Preferred (Error Running dsm_fips_conv).

More information:

How to Switch to FIPS-Only Mode

How to Switch to FIPS-Preferred Mode

Verify the FIPS Mode of DSM Components

Scenarios When the FIPS Policy Changes Do Not Take Effect