Client Automation Security Features › FIPS-Compliant Cryptography › Scenarios When the FIPS Policy Changes Do Not Take Effect

Scenarios When the FIPS Policy Changes Do Not Take Effect

After you change the FIPS 140 setting in the configuration policy and apply the policy on the manager, Client Automation takes the action based on the value set in the Change action policy. In the following scenarios, the FIPS policy changes do not take effect and you do not see any action based on the Change action policy.

• The policy has not yet arrived at the target computer—check the settings on the target computer using the following command:

  ccnfcmda -cmd getparametervalue -ps /itrm/common/security/fips140 -pn policy
  

  The command returns 0 (legacy), 1 (FIPS-preferred), or 2 (FIPS-only). If the command returns the new FIPS mode value, the new mode will be effective when Client Automation restarts and copies the new value to the installmode parameter. If the command does not return the new FIPS mode value, it indicates that the policy has not yet arrived at the target computer.

  To get the current FIPS mode on the target computer, use the following command:

  ccnfcmda -cmd getparametervalue -ps /itrm/common/security/fips140 -pn installmode
  

  Typically, the installmode parameter and the policy parameter must contain the same value. However, if Client Automation has not been restarted after applying the policy, the installmode parameter will continue to hold the previous policy value until you restart Client Automation.

  Note: For more detailed information about the ccnfcmda configuration agent command, type <command> /? at the command prompt.

• A FIPS-only policy is applied on a DSM manager that has either not executed the conversion utility or completed the conversion utility with errors. As the FIPS-only mode requires that the conversion utility must be successfully executed, changing the policy has no effect until you run the conversion utility successfully on the manager:

  To view whether conversion utility has been run on the manager, use the following command:

  ccnfcmda -cmd getparametervalue -ps /itrm/common/security/fips140 -pn ready_for_fips_only
  

  If the command returns 1, it indicates that the utility has been run successfully on the manager.

  Note: The conversion utility must have been run successfully if you are trying to switch from the FIPS-preferred mode to the FIPS-only mode or from the FIPS‑only mode to the FIPS‑preferred mode.

• The new FIPS mode is the same as the current FIPS mode. If the target computer is already operating in the same FIPS mode as the new FIPS mode, the changes do not take effect on the target computer.
• If the Change action policy is set to “Politely ask user to restart ITCM when ready”, then a dialog appears asking the user to restart Client Automation when the policy reaches the target computer. If this dialog does not appear, check the restartaction parameter on the target machine using the following command:

  ccnfcmda -cmd getparametervalue -ps /itrm/common/security/fips140 -pn restartaction
  

  If the command does not return 2, it indicates that the policy has not yet arrived at the target computer.

  Important! Do not enable the “Politely ask user to restart ITCM when ready” option on a terminal server as it prompts all the users to restart Client Automation!