Federation Manager Guide › Migrate Federation Manager to Use FIPS Encryption › How To Migrate from FIPS_COMPAT Mode to FIPS-Only Mode

How To Migrate from FIPS_COMPAT Mode to FIPS-Only Mode

The securing of sensitive data using the robust encryption algorithms provided by FIPS helps protect the data from security breaches and makes Federation Manager more secure overall.

You can migrate your Federation Manager system to operate using only FIPS-compatible encryption algorithms to secure sensitive data.

You can install Federation Manager in one of the following FIPS modes of operation:

• FIPS_COMPAT

  FIPS_COMPAT (compatibility) mode is the default FIPS mode of operation during installation. In FIPS_COMPAT mode, Federation Manager continues to support the current set of non-FIPS algorithms as well as the supported FIPS-compliant algorithms.

  FIPS_COMPAT mode is compatible with previous versions Federation Manager. This compatibility enables environments with a version of Federation Manager earlier than r12.1 to interoperate with r12.1. FIPS_COMPAT is also suitable for any clients who are satisfied with the degree of security available in the current Federation Manager implementation.

  If your organization does not require the use of FIPS, install Federation Manager in FIPS_COMPAT mode. No further configuration is required.

• FIPS_ONLY

  In FIPS_ONLY mode, the environment uses only FIPS-compliant algorithms to encrypt sensitive data.

  Install Federation Manager in FIPS_ONLY mode for new installations where you want to use only FIPS-compliant algorithms.

Federation Manager allows only a one-way migration path from FIPS_COMPAT mode, which is the default mode through MIGRATE mode to FIPS_ONLY mode. FIPS_MIGRATE mode lets you transition a Federation Manager environment running in FIPS_COMPAT mode to FIPS_ONLY mode. In MIGRATE mode, Federation Manager continues using existing encryption algorithms for existing data as you migrate your environment to FIPS_ONLY mode. However, any new data requiring encryption is encrypted using only FIPS-compliant algorithms.

Important! An environment operating in FIPS_ONLY mode cannot interoperate with, or be backward compatible with earlier versions of Federation Manager, which includes custom software using older versions of Federation Manager APIs. If you have custom software built with pre-r12.1SDKs, recompile this software using the r12.1 SDKs to achieve the required support for FIPS_ONLY mode.

To migrate Federation Manager to FIPS_ONLY mode:

1. Back up your existing configuration.
2. Set the policy engine to FIPS_MIGRATE mode.
3. Reencrypt the policy store key.
4. Reencrypt the policy store administrator password.
5. Reencrypt the SiteMinder super user password.
6. Reencrypt client shared secrets.
7. Reencrypt policy and key store data.
8. Set the Federation Manager Administrator UI to FIPS_ONLY mode.
9. Set the embedded secure proxy engine to FIPS_ONLY mode.
10. Set the embedded policy engine to FIPS_ONLY mode.

Important! After you migrate to FIPS_ONLY mode, partnerships configured with non-FIPS approved certificates stop working and consequently, partnerships stop working. Reencrypt partnership data using FIPS-compliant algorithms before migrating to FIPS_ONLY operation.

The following sections describe each procedure in detail.