Installation and Upgrade Guides › SiteMinder Upgrade Guide › Using FIPS-Compliant Algorithms › FIPS 140-2 Migration Overview

FIPS 140-2 Migration Overview

The Policy Server uses certified Federal Information Processing Standard (FIPS) 140–2 compliant cryptographic libraries. FIPS is a US government computer security standard that is used to accredit cryptographic modules that meet the Advanced Encryption Standard (AES). These libraries provide a FIPS mode of operation when a CA SiteMinder® environment only uses FIPS–compliant algorithms to encrypt sensitive data. A CA SiteMinder® environment can operate in one of the following FIPS modes of operation:

• FIPS–compatibility
• FIPS–migration
• FIPS–only

By default, an environment that is upgraded to 12.51 is operating in FIPS–compatibility mode. In FIPS–compatibility mode, the environment uses algorithms existing in previous versions of CA SiteMinder® to encrypt sensitive data and is compatible with previous versions CA SiteMinder®. If your organization does not require the use of FIPS–compliant algorithms, the environment can operate in FIPS–compatibility mode without further configuration.

Migrating your environment to use only FIPS–compliant algorithms is comprised of two stages.

1. Re–encrypt existing sensitive data—In stage one, you configure the environment to operate in FIPS–migration mode. FIPS–migration mode lets you transition a 12.51 environment running in FIPS–compatibility mode to FIPS–only mode. In FIPS–migration mode, the 12.51 environment continues to use existing CA SiteMinder® encryption algorithms as you re–encrypt existing sensitive data using FIPS-compliant algorithms.
2. Configure FIPS–only mode—In stage two you configure your environment to operate in FIPS–only mode. In FIPS–only mode, the environment only uses FIPS–compliant algorithms to encrypt sensitive data.

   Important! An environment that is running in FIPS–only mode cannot interoperate with and is not backward compatible to versions of CA SiteMinder® before 12.x, including:

   • All agents
   • Custom software using older versions of the Agent API
   • Custom software using PM APIs or any other API that the Policy Server exposes

   Re–link all such software with the 12.51 versions of the respective SDKs to achieve the required support for FIPS–only mode.

FIPS 140-2 Migration Requirements

Ensure that your environment meets the minimum requirements before migrating the environment to only use FIPS-compliant algorithms. You may want to print the following to use as a checklist:

• Ensure that your entire CA SiteMinder® environment, including the SDK, is upgraded to 12.51.
• If the environment contains custom agents, ensure that they are re-linked to the respective SDK.

  Note: More information on re-linking custom agents exists in the API Reference Guide for C and the API Reference Guide for Java.

• Ensure that at least one Policy Server in the environment is configured to enable Agent key generation.

  Note: More information on enabling agent key generation exists in the Policy Server Administration Guide.

• If the environment uses X.509 Client Certificate authentication schemes, ensure that the user certificates are generated using only FIPS-compliant algorithms.
• If the Policy Servers are to connect to policy stores and/or user stores via SSL, ensure that the certificates used by the Policy Servers and the directory stores for the connection are FIPS-compliant.