CA EEM Getting StartedFIPS 140-2 SupportHow to Configure CA EEM Server in FIPS-only Mode › Configure CA EEM Server in FIPS-only Mode

Previous Topic: Before Configuring CA EEM in FIPS-only Mode

Next Topic: Verify CA EEM Server is in FIPS-only Mode

Configure CA EEM Server in FIPS-only Mode

When you configure CA EEM Server in FIPS-only mode, CA EEM uses only FIPS 140-2 compliant cryptographic libraries to encrypt and decrypt sensitive data.

Notes:

To configure CA EEM in FIPS-only mode

  1. Stop iGateway service.
  2. Stop the CA Directory services using the following commands:
    Windows
    dxserver stop all
ssld stop
    Linux and UNIX
    su - dsa -c "dxserver stop all"
su - dsa -c "ssld stop"
  3. Open the iGateway.conf file and set the following tag to ON: 
    <FIPSMode>ON<FIPSMode>

    Note: To change the mode from FIPS-only to non-FIPS, set FIPSMode tag to OFF.

  4. Run the following commands from the command prompt:
    Windows
    ssld remove iTechPoz-Server
ssld install iTechPoz-Server -certfiles "%DXHOME%/config/ssld/personalities" -ca "%DXHOME%/config/ssld/iTechPoz-trusted.pem" -port 21847 -fips
    Linux and UNIX
    su - dsa
ssld remove iTechPoz-Server
ssld install iTechPoz-Server -certfiles $DXHOME/config/ssld/personalities -ca $DXHOME/config/ssld/iTechPoz-trusted.pem -port 21847 -fips

    Note: The option -port specifies the ssld port. If you have configured a different ssld port, replace 21847 in the preceding commands with the correct port number. Also, if you are changing the security mode from FIPS-only to non-FIPS, use the commands in this step without the -fips option.

  5. Start the CA Directory services using the following commands:
    Windows
    ssld start
dxserver start all
    Linux and UNIX
    su - dsa -c "ssld start"
su - dsa -c "dxserver start all"
  6. Start iGateway service.

    CA EEM is configured in a FIPS-only mode.