Administration Guide › FIPS-140 Support › FIPS Support Overview

FIPS Support Overview

The Secure Proxy Server supports the requirements for cryptographic modules specified in the FIPS 140-2 standard. When you install SPS, a dialog appears that prompts you to select the level of FIPS support your operating configuration requires.

During a new installation you can select one of these three FIPS modes:

• COMPAT — Specifies that the installation is not FIPS-compliant. Select this mode when interacting with clients running earlier versions of the SPS.
• MIGRATE — Specifies that the SPS operates both with FIPS-compliant algorithms and algorithms used in earlier version of the SPS simultaneously while the data is migrated.
• ONLY — Specifies that only FIPS-compliant algorithms are used and accepted by the SPS. When you install in this mode, additional manual configuration is required.

The FIPS mode you select during installation usually is the same as the FIPS mode configured on the Policy Server.When the Policy Server is in Migrate mode, it can operate with the SPS in any mode.

If you are upgrading an existing SPS installation to SPS r12 SP 3, the SPS continues to work as before, that is, in COMPAT mode. You can change the mode manually using the smreghost command, as described in subsequent sections. Be sure to restart the system after a mode change so that the Web Agent, the SPS server, and the Apache server pick up the changes.

More information:

Migration to FIPS MIGRATE Mode

Migration to FIPS ONLY Mode

SSL Configuration for FIPS ONLY Mode

Configuration Process for FIPS ONLY Mode