Administration GuideFIPS-140 Support › Migration to FIPS ONLY Mode

Previous Topic: Migration to FIPS MIGRATE Mode

Next Topic: Using the SPS with Federation Security Services

Migration to FIPS ONLY Mode

On an upgrade, you can change the FIPS mode on the SPS from COMPAT to ONLY as long as the SiteMinder Policy Server is also in FIPS ONLY mode or FIPS COMPAT mode.

To change the SPS to FIPS Only mode

  1. Stop SPS services.
  2. Set the OPENSSL_FIPS environment variable with a value of 1.

    This setting enables FIPS mode for the openssl command-line utility.

  3. Set the CA_SM_PS_FIPS140 environment variable with a value of ONLY.

    This setting enables SPS and Apache code determine the FIPS mode.

    For UNIX

    In the proxyserver.sh file at sps-home/proxy-engine/proxyserver.sh set the CA_SM_PS_FIPS140 environment variable to a value of ONLY.

  4. Open a command-line window.
  5. Run the following command: 
    smreghost -i policy_server_ip_address -u administrator_user_name -p administrator_password -hn hostname_for_registration -hc host_config_object -f path_to_host_config_file -o -cf ONLY

    Example:

    smreghost -i localhost -u siteminder -p firewall -hn helloworld -hc host  -f "C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf" -o -cf  ONLY
  6. Determine whether the SPS is running in full SSL mode. If SSL is already enabled on Apache inside SPS, SSL must be disabled and reconfigured for FIPS ONLY mode.
  7. Change the value of the SSLPassPhraseDialog variable in httpd-ssl.conf (present in sps_home\httpd\conf\extra folder) from builtin to custom.
  8. Uncomment the following line in httpd-ssl.conf:

    SSLCustomPropertiesFile "<sps_home>/Tomcat/properties/spsssl.properties"

  9. Restart the SPS machine. (Windows only)
  10. Start SPS services.

More information:

Configuration Process for FIPS ONLY Mode