Installation Guides › Upgrade Guide › Using FIPS-Compliant Algorithms › Migration Roadmap—Re-Encrypt Sensitive Data

Migration Roadmap—Re-Encrypt Sensitive Data

Before your environment can operate in FIPS-only mode, you must:

• Set specific components to operate in FIPS-migration mode.
• Re-encrypt existing sensitive data using FIPS-compliant algorithms.

The following figure illustrates a sample r12.1 SP3 environment and details:

• The order in which you configure components to operate in FIPS-migration mode
• The existing sensitive data that you must re-encrypt

  

1. Each Policy Server in the environment is set to operate in FIPS-migration mode.
   • The policy store key, which is located in the EncryptionKey.txt file, is encrypted using algorithms that are not FIPS compliant. Re-encrypt this key for each Policy Server in the environment before configuring the environment for FIPS-only mode.
   • The policy store administrator password is encrypted using algorithms that are not FIPS compliant. Re-encrypt this password before configuring the environment for FIPS-only mode.

     Important! If you have configured a separate database for a key store, audit logs, token data, or a session server, these passwords are encrypted using algorithms that are not FIPS compliant. Re-encrypt these passwords before configuring the environment for FIPS-only mode.

   • The SOA Security Manager Super User password is encrypted using algorithms that are not FIPS compliant. Re-encrypt the password before configuring the environment for FIPS-only mode.

     Note: This is the password for the default SOA Security Manager administrator account. This account is used for all administrative tasks that do not require direct access to the Administrative UI. This is not the password for the Administrative UI administrator account with Super User privileges.

2. Each SOA Agent, including custom Agents, in the environment is set to operate in FIPS-migration mode.

   The shared secrets that the Policy Servers and Agents use to establish encrypted communication channels are encrypted using algorithms that are not FIPS compliant. Re-encrypt the shared secrets before configuring the environment for FIPS-only mode.

3. Keys and sensitive policy store data is re-encrypted.

   Note: The previous figure depicts a single database instance as a policy/key store. Your environment may use separate database instances for individual policy and key stores.

   Sensitive data stored in a policy store or policy and key stores is encrypted using algorithms that are not FIPS compliant. Re-encrypt the keys and sensitive policy store data before configuring the environment for FIPS-only mode.