Release NotesSOA Security Manager Release NotesKnown IssuesInstall Issues › Back Option Not Supported During Console Mode Install (74339)

Previous Topic: Install Issues

Next Topic: Uninstaller Not Removing Administrative UI Folders and Files (74112)
Back Option Not Supported During Console Mode Install (74339)

The option to go back to reenter incorrectly supplied information is not supported during console mode installation on UNIX.

SOA Agent Configuration Wizard Does Not Provide FIPS-migration Option (142521)

The SOA Agent Configuration Wizard provides options to specify FIPS-compatibility and FIPS-only modes, but does not provide an option to set FIPS-migration mode.

Workaround

FIPS-migration mode is available and can set manually by using the smreghost command.

  1. Open a command window.
  2. Enter the smreghost command using the following required arguments: 
    smreghost -i policy_server_IP_address:[port]  -u administrator_username -p Administrator_password -hn hostname_for_registration -hc host_configuration_object -cf MIGRATE -f path_to_host_config_file

    Note: Separate each command argument from its value with a space. Surround any values that contain spaces with double quotes (").

    Where the command arguments are as follows:

    -i policy_server_IP_ address:port

    Indicates the IP address of the Policy Server where you are registering this host. Specify the port of the authentication server only if you are not using the default port.

    If you specify a port number, which can be a non-default port, that port is used for all three Policy Server servers (authentication, authorization, accounting), however, the unified server responds to any Agent request on any port. For example, if you specify port 55555, the policy server entry in the SmHost.conf file will show the following:

    "policy_server_ip_address,55555,55555,55555"

    Example: (IPv4) 127.0.0.1,55555

    Example: (IPv6) [2001:DB8::/32][:55555]

    -u administrator_username

    Indicates the name of the SOA Security Manager administrator with the rights to register a trusted host.

    -p Administrator_password

    Indicates the password of the Administrator who is allowed to register a trusted host.

    -hn hostname_for_registration

    Indicates the name of the host to be registered. This can be any name that identifies the host, but it must be unique. After registration, this name is placed in the Trusted Host list in the Administrative UI.

    -hc host_config_object

    Indicates the name of the Host Configuration Object configured at the Policy Server. This object must exist on the Policy Server before you can register a trusted host.

    -cf FIPS mode

    Specifies one of the following FIPS modes:

    • COMPAT--Specifies non-FIPS mode, which lets the Policy Server and the Agents read and write information using the existing SOA Security Manager encryption algorithms. If your organization does not require the use of FIPS-compliant algorithms, the Policy Server and the Agents can operate in non-FIPS mode without further configuration.
    • MIGRATE--Specifies FIPS-migration mode, which is used when you are upgrading an earlier version of SOA Security Manager to full-FIPS mode. The Policy Server and the Agents continue to use the existing SOA Security Manager encryption algorithms as you migrate your environment to use only FIPS 140-2 approved algorithms.
    • ONLY--Specifies full-FIPS mode, which requires that the Policy Server and Web Agents read and write information using only FIPS 140-2 algorithms.

    Important! A SOA Security Manager installation that is running in Full FIPS mode cannot interoperate with, or be backward compatible to, earlier versions of SOA Security Manager, including all agents, custom software using older versions of the Agent API, and custom software using PM APIs or any other API that the Policy Server exposes. You must re-link all such software with the corresponding versions of the respective SDKs to achieve the required support for Full FIPS mode.

    If this switch is not used, or you use the switch without specifying a mode, the default setting is used.

    Default: COMPAT

    Note: More information on the FIPS Certified Module and the algorithms being used; the data that is being protected; and the SOA Security Manager Cryptographic Boundary exists in the Policy Server Administration Guide.

    -f path_to_host_config_file

    (Optional) Indicates the full path to the file that contains the registration data. The default file is SmHost.conf. If you do not specify a path, the file is installed in the location where you are running the smreghost tool.

    If you use the same name as an existing host configuration file, the tool backs up the original and adds a .bk extension to the backup file name.

    Windows example:

    smreghost -i 123.123.1.1 -u SiteMinder -p mypw -hn "host computer A" 
-hc DefaultHostSettings -cf MIGRATE -f "C:Program Files\CA\SOA Security Manager\bin"

    UNIX example:

    smreghost -i 123.123.1.1 -u SiteMinder -p mypw -hn "host computer A" 
-hc DefaultHostSettings -cf MIGRATE -f "/CA/SOA_Security_Manager/bin"

    The agent is reregistered in FIPS-migration mode.

  3. Repeat the previous steps for each server in the environment on which a trusted host is registered.

FIPS migration strategy for a complete SOA Security Manager environment is documented in the SOA Security Manager Upgrade Guide.

More information

Set an Agent to FIPS-Migration Mode