Previous Topic: Configure CA EEM Security Settings for the DomainNext Topic: Examples of iGateway Certificate Utility Use

Administer the CA Process Automation DomainConfigure the Contents of the DomainConfigure CA EEM Security Settings for the DomainChange the CA EEM FIPS Mode Security Setting

Change the CA EEM FIPS Mode Security Setting

During installation, the CA EEM FIPS mode property is set to on or off. This setting determines the algorithms that are used to encrypt data that is transferred between CA EEM and CA Process Automation. When FIPS mode is on, the algorithms are compatible with FIPS 140-2. When CA Process Automation is installed with an CA EEM configured with FIPS Mode set to on, the FIPS-compliant certificate setting is displayed as selected.

Important! The FIPS setting for CA Process Automation must match the FIPS setting for CA EEM. If FIPS-mode is used by CA EEM, CA Process Automation must use FIPS-compliant certificates.

You can change the FIPS-compliant certificate security setting at the following levels:

Regardless of the level where the FIPS-compliant certificate setting is changed, it impacts the entire Domain. The Domain has one CA EEM. The FIPS-compliant certificate setting must reflect the CA EEM FIPS Mode setting and an iGateway file setting.

Important! Confer with your Domain Administrator before changing any CA EEM security setting. Security settings have widespread impact.

Follow these steps:

  1. Obtain the EEM Certificate password from the installer.
  2. Shut down CA Process Automation on all Orchestrators except the Domain Orchestrator, if applicable.
  3. Log on to the server where the CA Process Automation Domain Orchestrator is installed and do the following;
    1. Shut down CA Process Automation.
    2. Stop the Orchestrator service. For example, from the Windows Start menu, select CA, CA Process Automation 4.0, Stop Orchestrator Service.
  4. Log on to the server where CA EEM is installed and do the following:
    1. Shut down CA EEM.
    2. Stop the CA iTechnology iGateway service.
  5. Navigate to the ...\CA\SharedComponents\iTechnology folder.
  6. Change the FIPS mode setting in the igateway.conf file.
    1. Open igateway.conf for edit. For example, right-click igateway.conf and select Edit with Notepad++.
    2. Locate the line with the FIPSMode setting. For example: 
      Line 4: <FIPSMode>off</FIPSMode>
    3. Change the value from off to on or from on to off.
    4. Save the file and close it.
  7. Run the iGateway Certificate Utility (igwCertUtil) to convert the CA EEM certificate types as follows:
  8. Restart the iGateway service.
  9. Restart CA EEM with the appropriate FIPS Mode setting.
  10. Restart the Orchestrator service on the server with the Domain Orchestrator.
  11. Log in to CA Process Automation and view the FIPS-compliant certificate security setting and related settings as follows:
    1. Log in to CA Process Automation and click the Configuration tab.
    2. Navigate to the level where you want to implement the change and lock it (Domain, Environment, or Orchestrator).
    3. View the FIPS-compliant certificate check box.
    4. If your change was to turn on FIPS Mode for CA EEM, do the following:
      • Verify that FIPS-compliant certificate is selected. If it is not, select it.
      • Enter the key that you generated in the CA EEM Certificate Key field.
    5. If your change was to turn off FIPS Mode for CA EEM, do the following:
      • Verify that the FIPS-compliant certificate is cleared. If it is not, clear it.
      • Enter the password that you generated in the CA EEM Certificate Password field.
    6. Click Save.
    7. Unlock the level, that is, Domain, Environment from the Browser palette or Orchestrator from the Orchestrator palette.
  12. Restart CA Process Automation on servers with Orchestrators that are not the Domain Orchestrator.