Installation and Upgrade Guides › SiteMinder Upgrade Guide › Using FIPS-Compliant Algorithms › How to Configure FIPS-only Mode

How to Configure FIPS-only Mode

Complete the following procedures to be sure that your environment only encrypts sensitive data using FIPs–compliant algorithms:

1. Set each Agent in the environment to FIPS–only mode.
2. Set each Policy Server in the environment to FIPS–only mode.
3. Re–register an Administrative UI with its respective Policy Server. Consider the following:
   • The Administrative UI is unavailable during registration process. However, the Policy Server continues to provide access control and generate log files that contain auditing information during this time.
   • The Administrative UI can be configured for internal or external administrator authentication.
     • An Administrative UI configured for internal authentication is one that is using the policy store as it source for administrator credentials.
     • An Administrative UI configured for external authentication is one that is using an external user store as its source for administrator credentials.

     The process you follow to re–register an Administrative UI depends on how it is authenticating CA SiteMinder® administrators.

   Note: Repeat this step until all Administrative UI connections are re–registered.

4. Re–register a Report Server with its respective Policy Server.

   Note: Repeat this step until all Report Server connections are re–registered.

Set an Agent to FIPS-only Mode

You set an Agent to FIPS-only mode to ensure that the Agent only accepts session keys, Agent Keys, and shared secrets that are encrypted using FIPS-compliant algorithms.

To set an Agent to FIPS-only mode

1. Open the SmHost.conf file with a text editor.

   The following line appears in the file:

   fipsmode="MIGRATE"
   

2. Edit the line to read:

   fipsmode="ONLY"
   

3. Save and close the file.
4. Restart the machine that is hosting the Agent.

   The agent is operating in FIPS-migration mode.

5. Repeat the previous steps for each machine in the environment that is registered as a trusted hosted.

You may now set Policy Servers to operate in FIPS-only mode.

Set the Policy Server to FIPS-only Mode

Setting the Policy Server to FIPS–only mode configures the Policy Server to read and write encrypted information using FIPS–compliant algorithms only.

Important! Password Services locks out users whose Password Blobs are not re-encrypted when the Policy Server is operating in FIPS-only mode. A user cannot regain access until you have deleted the Password Blob and cleared any disabled flags. Deleting the Password Blob results in the loss of the user's password history.

Note: For more information about identifying Password Blobs that are not re–encrypted, see Verify that Password Blobs are Re-encrypted.

Follow these steps:

1. Open a command prompt from the Policy Server host system and run the following command:

   setFIPSonly
   

   ONLY appears in the command window.

2. Stop the Policy Server.

   Note: For more information about stopping and starting the Policy Server, see the Policy Server Administration Guide.

3. Do one of the following steps:
   • If the Policy Server is installed on a Windows system, reboot the system.
   • If the Policy Server is installed on a UNIX system, do the following steps:
     1. Log in as the user that is used to start the Policy Server.
     2. Open a command prompt.
     3. Navigate to policy_server_home.
     4. Run the following command:

        ./ca_ps_env.ksh
        

4. Start the Policy Server.
5. Open the smps.log file and verify that the following line appears:

   Policy Server employing only FIPS-140 cryptographic algorithms.
   

6. Close the log file.

   The Policy Server is set to operate in FIPS-only mode.

7. Repeat the latter steps for each Policy Server in the environment.

You can now re–register each Administrative UI with its respective Policy Server.

How to Re–Register an Administrative UI Configured for Internal Authentication

Existing CA SiteMinder® algorithms continue to encrypt the shared secret that the Administrative UI and the Policy Server use to establish an encrypted connection. Re–registering the Administrative UI creates a new shared secret that is encrypted using FIPS–compliant algorithms.

Complete the following procedures to re–register an Administrative UI configured for internal authentication:

1. Stop the application server.
2. Delete the Administrative UI data directory.
3. Reset the Administrative UI registration window.
4. Start the application server.
5. Register the Administrative UI.

Stop the Application Server

To stop the application server

1. Log into the Administrative UI host system.
2. Do one of the following:
   • If you installed the Administrative UI using the stand–alone installation option, stop the CA SiteMinder® Administrative UI service.
   • If you installed the Administrative UI to an existing application server infrastructure, stop the application server.

   Note: For more information about stopping the application server, see the Policy Server Installation Guide.

Delete the Administrative UI Data Directory

Delete the Administrative UI data directory to remove the existing trusted connection between the Administrative UI and the Policy Server.

To delete the Administrative UI data directory

1. Log into the Administrative UI host system.
2. Do one of the following:
   • (Stand–alone) If you installed the Administrative UI using the stand–alone installation option, navigate to administrative_ui_home/CA/SiteMinder/adminui/server/default and delete the following folder:

     data

     administrative_ui_home

     Specifies the Administrative UI installation path.

   • (JBoss) If you installed the Administrative UI to an existing JBoss infrastructure, navigate to JBoss_home/server/default/data.

     JBoss_home

     Specifies the JBoss installation path.

     The data folder contains the apacheds, derby, and siteminder folders.

     1. Delete the siteminder folder.
     2. Open the apacheds folder and delete the siteminder folder.
     3. Open the derby folder and delete the siteminder folder.
   • (WebLogic) If you installed the Administrative UI to an existing WebLogic infrastructure, navigate to WebLogic_domain_folder, and delete the following folder:

     data

     WebLogic_domain_folder

     Specifies the path to the WebLogic domain created for the Administrative UI.

   • (WebSphere) If you installed the Administrative UI to an existing WebSphere infrastructure, navigate to WebSphere_home/profiles/profile, and delete the following folder:

     data

     WebSphere_home

     Specifies the full path of the WebSphere installation.

     profile

     Specifies the name of the profile used for the Administrative UI.

   The Administrative UI data dictionary is deleted.

Reset the Administrative UI Registration Window

Reset the registration window to submit the credentials of any super user in the policy store. The Policy Server uses these credentials to verify that the registration request is valid and that the relationship between the Administrative UI and the Policy Server can be trusted.

To reset the Administrative UI registration window

1. Log into the Policy Server host system.
2. Run the following command:

   XPSRegClient siteminder_administrator[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l
   log_path -e error_path -vT -vI -vW -vE -vF
   

   siteminder_administrator

   Specifies a CA SiteMinder® administrator with super user permissions.

   Note: If a super user account is not available, use the smreg utility to create the default CA SiteMinder® account.

   passphrase

   Specifies the password for the CA SiteMinder® administrator account.

   Note: If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm it.

   -adminui-setup

   Specifies that the Administrative UI is being re–registered with a Policy Server.

   -t timeout

   (Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.

   Unit of measurement: minutes

   Default: 240 (4 hours)

   Minimum limit: 1

   Maximum limit: 1440 (24 hours)

   -r retries

   (Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect CA SiteMinder® administrator credentials when logging into the Administrative UI to complete the registration process.

   Default: 1

   Maximum limit: 5

   -c comment

   (Optional) Inserts the specified comments into the registration log file for informational purposes.

   Note: Surround comments with quotes.

   -cp

   (Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.

   Note: Surround comments with quotes.

   -l log path

   (Optional) Specifies where the registration log file must be exported.

   Default: siteminder_home\log

   siteminder_home

   Specifies the Policy Server installation path.

   -e error path

   (Optional) Sends exceptions to the specified path.

   Default: stderr

   -vT

   (Optional) Sets the verbosity level to TRACE.

   -vI

   (Optional) Sets the verbosity level to INFO.

   -vW

   (Optional) Sets the verbosity level to WARNING.

   -vE

   (Optional) Sets the verbosity level to ERROR.

   -vF

   (Optional) Sets the verbosity level to FATAL.

3. Press Enter.

   XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log into the Administrative UI.

Start the Application Server

To start the application server

1. Log into the Administrative UI host system.
2. Do one of the following:
   • If you installed the Administrative UI using the stand–alone installation option, start the CA SiteMinder® Administrative UI service.
   • If you installed the Administrative UI to an existing application server infrastructure, start the application server.

   Note: For more information about starting the application server, see the Policy Server Installation Guide.

Register the Administrative UI

Register the Administrative UI to create a new shared secret that is encrypted using FIPS–compliant algorithms.

Note: For more information about registering the Administrative UI, see the Policy Server Installation Guide.

How to Re–Register an Administrative UI Configured for External Authentication

Existing CA SiteMinder® algorithms continue to encrypt the shared secret that the Administrative UI and the Policy Server use to establish an encrypted connection. Re–registering the Administrative UI creates a new shared secret that is encrypted using FIPS–compliant algorithms.

Complete the following procedures to re–register an Administrative UI configured for external authentication:

1. Delete the existing connection between the Administrative UI and the Policy Server.
2. Run the Administrative UI registration tool.
3. Gather registration information.
4. Configure the Administrative UI and Policy Server connection.
5. Delete the previous trusted host.

Delete an Administrative UI Connection to the Policy Server

You delete the Administrative UI connection to the Policy Server so that you can re–register the connection.

To delete the Administrative UI connection to the Policy Server

1. Log into the Administrative UI and click Administration, Admin UI.

   A list of connection types appears.

2. Click Policy Server Connections, Delete Policy Server Connection.

   The Delete Policy Server Connection pane appears.

3. Enter search criteria, and click Search.

   Connections matching your criteria appear.

4. Select the connection you want to delete, and click Select.

   You are prompted to confirm the request.

5. Click Yes.

   The connection between the Administrative UI and the Policy Server is deleted.

Run the Administrative UI Registration Tool

You run the Administrative UI registration tool to create a client name and passphrase. A client name and passphrase pairing are values that the Policy Server uses to identify the Administrative UI you are registering. You submit the client and passphrase values from the Administrative UI to complete the registration process.

To run the registration tool

1. Open a command prompt from the Policy Server host system.
2. Run the following command:

   XPSRegClient client_name[:passphrase] -adminui -t timeout -r retries -c comment -cp -l log_path -e error_path
   -vT -vI -vW -vE -vF
   

   Note: Inserting a space between client_name and [:passphrase] results in an error.

   client_name

   Identifies the Administrative UI being registered.

   Limit: This value must be unique. For example, if you have previously used smui1 to register an Administrative UI, enter smui2.

   Note: Record this value. This value is to complete the registration process from the Administrative UI.

   passphrase

   Specifies the password required to complete the registration of the Administrative UI.

   Limits:

   • The passphrase must contain at least six (6) characters.
   • The passphrase cannot include an ampersand (&) or an asterisk (*).
   • If the passphrase contains a space, it must be enclosed in quotation marks.
   • If you are registering the Administrative UI as part of an upgrade, you can reuse a previous passphrase.

   Note: If you do not specify the passphrase in this step, XPSRegClient prompts you to enter and confirm one.

   Important! Record the passphrase, so that you can refer to it later.

   -adminui

   Specifies that an Administrative UI is being registered.

   -t timeout

   (Optional) Specifies how long you have to complete the registration process from the Administrative UI. The Policy Server denies the registration request when the timeout value is reached.

   Unit of measurement: minutes

   Default: 240 (four hours)

   Minimum Limit: 1

   Maximum Limit: 1440 (one day)

   -r retries

   (Optional) Specifies how many failed attempts are allowed when you complete the registration process from the Administrative UI. A failed attempt can result from an incorrect client name or passphrase submitted to the Policy Server during the registration process.

   Default: 1

   Maximum Limit: 5

   -c comment

   (Optional) Inserts the specified comments into the registration log file for informational purposes.

   Note: Surround comments with quotes.

   -cp

   (Optional) Specifies that registration log file can contain multiple lines of comments. The registration tool prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.

   Note: Surround comments with quotes.

   -l log_path

   (Optional) Specifies where to export the registration log file.

   Default: siteminder_home\log

   siteminder_home

   Specifies the Policy Server installation path.

   -e error_path

   (Optional) Sends exceptions to the specified path.

   Default: stderr

   -vT

   (Optional) Sets the verbosity level to TRACE.

   -vI

   (Optional) Sets the verbosity level to INFO.

   -vW

   (Optional) Sets the verbosity level to WARNING.

   -vE

   (Optional) Sets the verbosity level to ERROR.

   -vF

   (Optional) Sets the verbosity level to FATAL.

   The registration tool lists the name of the registration log file and prompts for a passphrase.

3. Press Enter.

   The registration tool creates the client name and passphrase pairing.

You can now register the Administrative UI with a Policy Server. You complete the registration process from the Administrative UI.

Gather Registration Information

The Administrative UI requires specific information from the registration process so that you can register it with the Policy Server.

Gather the following information before logging in to the Administrative UI:

• Client name—The client name you specified using the XPSRegClient tool.
• Passphrase—The passphrase you specified using the XPSRegClient tool.
• Policy Server host—The IP address or name of the Policy Server host system.
• Policy Server authentication port—The port on which the Policy Server is listening for authentication requests.

  Default: 44442

Configure the Connection to the Policy Server

You configure the Administrative UI and Policy Server connection so CA SiteMinder® administrators can use the Administrative UI to manage policy information through the Policy Server. You configure the connection from the Administrative UI.

To configure the Administrative UI and Policy Server connection

1. Open a supported web browser and enter the following:

   http://host.domain/iam/siteminder/adminui

   The Administrative UI login screen appears.

2. Log in as a super user.
3. Click Administration, Admin UI.
4. Click Policy Server Connections, Register Policy Server Connection.

   The Register Policy Server Connection pane opens.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

5. Type a connection name in the Name field on the General group box.
6. Type the name or IP address of the Policy Server host system in the Policy Server Host field.
7. Type the Policy Server authentication port in the Policy Server Port field.

   Note: This value must match the value in the Authentication port (TCP) field on the Settings tab in the Policy Server Management Console. The default authentication port is 44442.

8. Type the client name and passphrase you created using the registration tool in the fields on the General group box.
9. Select the FIPS only mode radio button.
10. Click Submit.

    The connection between the Administrative UI and Policy Server is configured. The shared secret the Administrative UI and Policy Server use to establish an encrypted connection is encrypted using FIPS-approved algorithms.

You have completed the process for re–registering the Administrative UI.

Delete the Previous Trusted Host

Re–registering the Administrative UI with a Policy Server creates a new trusted host. You delete the previous trusted host as it is no longer needed.

To delete the trusted host connection

1. Log into the Administrative UI and click Infrastructure, Hosts.
2. Click Trusted Hosts, Delete Trusted Host.

   The Delete Trusted Host pane appears.

3. Search for and select the previous trusted host connection.

   Note: A trusted host that is created as a result of the Administrative UI registration process has the following description: Generated by XPSRegClient.

4. Click Select.

   The Administrative UI prompts you to verify the selection.

   Important! Be sure that you delete the trusted host that was created the last time you registered the Administrative UI and not the new trusted host.

5. Click Yes.

   The trusted host connection is deleted.

How to Re-Register the Report Server Connection

Re-registering the Report Server ensures that the connection between the Report Server and the Policy server is encrypted using FIPS-approved algorithms.

Complete the following steps to re-register a report server:

1. Create the Report Server client name and passphrase.
2. Gather registration information.
3. Register the Report Server with the policy server.

Create a Client Name and Passphrase

You run the XPSRegClient utility to create a client name and passphrase. A client name and passphrase are:

• Values that the Policy Server uses to identify the Report Server you are registering
• Values that you use with the XPSRegClient tool to register the Report Server with the Policy Server

To run the registration tool

1. Open a command–line window from the Policy Server host system.
2. Navigate to siteminder_home/bin.

   siteminder_home

   Specifies the Policy Server installation path.

3. Run the following command:

   XPSRegClient client_name[:passphrase] -report -t timeout -r retries
   -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
   

   client_name

   Identifies the name of Report Server you are registering.

   Limit: The value must be unique. For example, if you have previously used reportserver1, enter reportserver2.

   Note: Record this value. This value is required to complete registration process from the Report Server host system.

   passphrase

   Specifies the password required to complete the Report Server registration.

   Limits: The passphrase

   • Must contain at least six (6) characters.
   • The passphrase cannot include an ampersand (&) or an asterisk (*).
   • If the passphrase contains a space, it must be enclosed in quotation marks.

   If you do not specify the passphrase in this step, XPSRegClient prompts you to enter and confirm it.

   Note: Record this value. This value is required to complete registration process from the Report Server host system.

   -report

   Specifies that a Report Server is being registered.

   -t timeout

   (Optional) Specifies how long you have to complete the registration process from the Report Server host system. The Policy Server denies the registration request when the timeout value is reached.

   Unit of measurement: minutes

   Default: 240 (4 hours)

   Minimum Limit: 1

   Maximum Limit: 1440 (one day)

   -r retries

   (Optional) Specifies how many failed attempts are allowed when you complete the registration process from the Report Server host system. A failed attempt can result from submitting an incorrect passphrase to the Policy Server during the registration.

   Default: 1

   Maximum Limit: 5

   -c comment

   (Optional) Inserts the specified comments into the registration log file for informational purposes.

   Note: Surround comments with quotes.

   -cp

   (Optional) Specifies that registration log file can contain multiple lines of comments. The registration tool prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.

   Note: Surround comment with quotes.

   -l log path

   (Optional) Specifies where the registration log file must be exported.

   Default: siteminder_home\log, where siteminder_home is where the Policy Server is installed.

   -e error path

   (Optional) Sends exceptions to the specified path.

   Default: stderr

   -vT

   (Optional) Sets the verbosity level to TRACE.

   -vI

   (Optional) Sets the verbosity level to INFO.

   -vW

   (Optional) Sets the verbosity level to WARNING.

   -vE

   (Optional) Sets the verbosity level to ERROR.

   -vF

   (Optional) Sets the verbosity level to FATAL.

   The utility lists the name of the registration log file. If you did not provide a passphrase, the utility prompts for one.

4. Press Enter.

   The registration tool creates the client name and passphrase.

You can now register the Report Server with the Policy Server. You complete the registration process from the Report Server host system.

Gather Registration Information

Completing the registration process between the Report Server and the Policy Server requires specific information. Gather the following information before running the XPSRegClient utility from the Report Server host system.

• Client name—The client name you specified using the XPSRegClient tool.
• Passphrase—The passphrase you specified using the XPSRegClient tool.
• Policy Server host—The IP address or name of the Policy Server host system.

Register the Report Server with the Policy Server

You register the Report Server with the Policy Server to create a trusted relationship between both components. You configure the connection from the Report Server host system using the Report Server registration tool.

To configure the connection to the Policy Server

1. From the Report Server host system, open a command–line window and navigate to report_server_home/external/scripts.

   report_server_home

   Specifies the Report Server installation location.

   Default: (Windows) C:\Program Files\CA\SC\CommonReporting3

   Default: (UNIX) /opt/CA/SharedComponents/CommonReporting3

2. Run one of the following commands:
   • (Windows)

     regreportserver.bat -pshost host_name -client client_name -passphrase passphrase
     -psport portnum -fipsmode 0|1
     

     Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.

   • (UNIX)

     regreportserver.sh -pshost host_name -client client_name -passphrase passphrase
     -psport portnum -fipsmode 0|1
     

   -pshost host_name

   Specifies the IP address or name of the Policy Server host system to which you are registering the Report Server.

   -client client_name

   Specifies the client name. The client name identifies the Report Server that you are registering.

   Note: This value must match the client name that you specified using the XPSRegClient utility when you registered the Report Server on the Policy Server host system.

   Example: If you specified "reportserver1" when using the XPSRegClient utility, enter "reportserver1".

   -passphrase passphrase

   Specifies the passphrase that is paired with the client name. The client name identifies the Report Server that you are registering.

   Note: This value must match the passphrase that you specified using the XPSRegClient utility when you registered the Report Server on the Policy Server host system.

   Example: If you specified CA SiteMinder® when using the XPSRegClient utility, enter CA SiteMinder®.

   -psport portnum

   (optional) Specifies the port on which the Policy Server is listening for the registration request.

   fipsmode

   Specifies how the communication between the Report Server and the Policy Server is encrypted.

   • Zero (0) specifies FIPS–compatibility mode
   • One (1) specifies FIPS–only mode.

   Default: 0

3. Press Enter.

   You receive a message stating that the registration is successful. You have completed re–registering the Report Server with the Policy Server. The connection between the Report Server and the Policy Server is encrypted using FIPS-compliant algorithms.