Installation and Upgrade Guides › SiteMinder Upgrade Guide › Using FIPS-Compliant Algorithms › Migration Roadmap—Configure FIPS-Only Mode

Migration Roadmap—Configure FIPS-Only Mode

The following diagram illustrates a sample 12.51 environment operating in FIPS-migration mode and lists the order in which you configure each component and connection to operate in FIPS-only mode.

The shaded components represent sensitive data that must be re-encrypted using FIPS-approved algorithms. Do not continue with the migration process until you have:

• Re-encrypted the policy store key for each Policy Server in the environment
• Re-encrypted the policy store administrator password
• Re-encrypted the CA SiteMinder® Super User password
• Re-encrypted the shared secret for each Agent in the environment
• Re-encrypted the policy store data
• Verified that the Policy Server has re-encrypted every user Password Blob in the user store, if the environment is using Basic Password Services.

  Important! Password Services locks out users whose Password Blobs are not re-encrypted when the Policy Server is operating in FIPS-only mode. A user cannot regain access until you have deleted the Password Blob and cleared any disabled flags. Deleting the Password Blob results in the loss of the user's password history.

  

1. Each Policy Server in the environment is set to operate in FIPS-only mode.
2. Each CA SiteMinder® Web Agent, including custom Agents, is set to operate in FIPS-only mode.
3. The existing connection between each Administrative UI and its respective Policy Server is encrypted using algorithms that are not FIPS compliant. Re-register each Administrative UI with its respective Policy Server to encrypt the connection using FIPS-compliant algorithms.
4. The existing connection between a Report Server and a Policy Server is encrypted using algorithms that are not FIPS compliant. Re-register each Report Server with its respective Policy Server to encrypt the connection using FIPS-compliant algorithms.