Client Automation Security Features › FIPS-Compliant Cryptography › Before You Switch the FIPS Mode
Before You Switch the FIPS Mode
Before you switch the FIPS mode of your Client Automation infrastructure, you must understand the practical considerations for operating in a particular FIPS mode. This section lists the considerations and prerequisites that you must review before switching the FIPS mode.
Mixed FIPS Modes
When your Client Automation infrastructure is operating in mixed FIPS modes, that is some components in FIPS-preferred mode and others in FIPS-only mode, the following restrictions apply:
- Some of the OSIM functionalities may not function correctly when the following components communicate:
- FIPS-preferred domain manager to FIPS-only scalability server
- FIPS-preferred enterprise manager to FIPS-only domain manager
- Communication between the following components fail:
- Client Automation r12 components to FIPS-only DSM components
The following considerations apply when you are linking a domain manager to an enterprise manager:
- You can link only FIPS-only domain managers to a FIPS-only enterprise manager.
- When the FIPS mode of the domain manager or the enterprise manager is FIPS-Preferred (Ready for FIPS-Only) or FIPS-Preferred (Re‑run conversion for FIPS-Only), you cannot perform a link operation.
- If the enterprise manager is in FIPS-preferred mode, you can link FIPS-preferred or legacy domain managers to it.
FIPS-Preferred to FIPS-Only Mode
The following operations or functionalities are not supported after you have switched from FIPS-preferred to FIPS-only mode:
- PLAIN and CACRYPT encryption filters for DTS
- ADT functionality of trusted transfers and DTS domains
- DTS transfer using multicast or broadcast to a group of computers operating in both FIPS-only and legacy mode
- Create or open password encrypted DNA files
- Use of legacy OS and boot images that are not yet upgraded. For information about upgrading images, see the OS Installation Management Administration Guide.
Prerequisites
You must verify that you have done the following before you switch the FIPS mode:
- If you are upgrading a cluster, disable automatic start of Client Automation on all nodes of a cluster prior to upgrading. You can enable the services when all the nodes in the cluster have been upgraded.
- Close all the instances of DSM Explorer (local and remote), Web Console, and CLI sessions when you are running the conversion utility; Do not open new instances of these until the conversion utility has completed the execution.
- Verify that all the configuration policies on the enterprise and domain managers are sealed.
Copyright © 2014 CA Technologies.
All rights reserved.
|
|