Federation Manager GuideMigrate Federation Manager to Use FIPS EncryptionHow To Migrate from FIPS_COMPAT Mode to FIPS-Only Mode › Set the Policy Engine to FIPS_Only Mode

Previous Topic: Set the OPENSSL_FIPS Environment Variable

Next Topic: Reencrypt the Policy Store Encryption Key

Set the Policy Engine to FIPS_Only Mode

The first step to migrate to FIPS_Only mode is to configure the policy engine in FIPS_only mode.

To set the policy engine to FIPS_only operation

  1. Check that Federation Manager is in COMPAT mode. If it is not, reinstall and configure it to run in COMPAT mode.
  2. Verify that the Federation Manager UI is operating.
  3. (Solaris only) Source the Federation Manager environment script, ca_federation_env.ksh to set the proper environment variables.
  4. From a command prompt, run the setFIPSmigration command, as follows:
    Windows

    Enter setFIPSmigration

    UNIX
    1. Navigate to federation_mgr_home.
    2. Run the environment script, ca_federation_env.ksh to set the Federation Manager environment variables.
    3. Enter setFIPSmigration.ksh

    The migration process begins.

  5. Do one of the following:
    Windows

    Reboot the Federation Manager system.

    UNIX

    Restart the Federation Manager services by executing the following scripts from a command window:

    1. federation_mgr_home/fedmanager.sh stop
    2. federation_mgr_home/fedmanager.sh start

    When you run the fedmanager.sh script, it sources the Federation Manager environment script, ca_federation_env.ksh.

    Note: Do not stop and start the services as the root user. You must be a non-root user.

  6. Look at the smps.log file to verify that the policy engine is now in MIGRATE mode.

    The location of the log file is federation_mgr_home/logs/server/smps.log.

The policy engine is now operating in FIPS_MIGRATE mode.