Federation Manager Guide › Migrate Federation Manager to Use FIPS Encryption › How To Migrate from FIPS_COMPAT Mode to FIPS-Only Mode › Set the Federation Manager UI to FIPS_Only Mode

Set the Federation Manager UI to FIPS_Only Mode

After re-encrypting all the necessary data to use FIPS-compatible algorithms, confirm all that all the partnerships and the SSL configuration is FIPS-compatible.

To confirm the settings

1. Restart the Federation Manager services according to your operating environment.
   • Windows

     Use the Federation Manager stop and start shortcuts as follows. If you logged in as a network user and not a local administrator, right-click the shortcut and select Run as administrator.

     1. Start, All Programs, CA, FederationManager, Stop services
     2. Start, All Programs, CA, FederationManager, Start services
   • UNIX

     a. Open a command window.

     b. Run the following scripts:

     federation_mgr_home/fedmanager.sh stop

     federation_mgr_home/fedmanager.sh start

     When you run the fedmanager.sh script, it sources the Federation Manager environment script, ca_federation_env.ksh.

     Note: Do not stop and start the services as the root user.

2. Log in to the Federation Manager UI.
3. Navigate to Infrastructure, Deployment Settings.

   The Configure Deployment Settings dialog opens.

4. Verify that the Confirm button in the Deployment Settings section is active and the message Ready to Migrate to Only mode is set to Yes.

   If these two conditions are not met, one or more of the partnerships or the SSL configuration is not FIPS-enabled. A partnership is not FIPS-enabled because of the following reasons:

   • Redirect Mode setting in the Application Integration dialog using an open format cookie with a PBE algorithm.

     If you configure the Redirect Mode setting to use an open format cookie with a PBE encryption algorithm, the mode is not FIPS-compatible.

   • Delivery type for provisioning is set to the open format cookie with a PBE algorithm.

     If you configure the Provisioning Delivery Type to use an open format cookie with a PBE encryption algorithm, this delivery mechanism is not FIPS-compatible.

   • Global open format cookie settings for delegated authentication are set to the open format cookie with a PBE algorithm.

     If you set the open format cookie settings in the Deployment Settings dialog to use a PBE encryption algorithm, the cookie is not FIPS-compatible.

   To correct these problems, do the following:

   • If there are non-FIPS partnerships, deactivate these partnerships or verify that all such partnerships use FIPS-approved certificates and encryption algorithms.
   • If the SSL configuration is not FIPS approved, deactivate SSL and configure it again using FIPS-approved certificates.
5. Click Confirm to migrate the UI to FIPS_ONLY mode.

The Federation Manager UI is now operating in FIPS_ONLY mode.