Previous Topic: Using FIPS-Compliant AlgorithmsNext Topic: Migration Roadmap—Re-Encrypt Sensitive Data


FIPS 140-2 Migration Overview

The Policy Server uses certified Federal Information Processing Standard (FIPS) 140–2 compliant cryptographic libraries. FIPS is a US government computer security standard that is used to accredit cryptographic modules that meet the Advanced Encryption Standard (AES). These libraries provide a FIPS mode of operation when a CA SiteMinder® environment only uses FIPS–compliant algorithms to encrypt sensitive data. A CA SiteMinder® environment can operate in one of the following FIPS modes of operation:

By default, an environment that is upgraded to 12.52 SP1 is operating in FIPS–compatibility mode. In FIPS–compatibility mode, the environment uses algorithms existing in previous versions of CA SiteMinder® to encrypt sensitive data and is compatible with previous versions CA SiteMinder®. If your organization does not require the use of FIPS–compliant algorithms, the environment can operate in FIPS–compatibility mode without further configuration.

Migrating your environment to use only FIPS–compliant algorithms is comprised of two stages.

  1. Re–encrypt existing sensitive data—In stage one, you configure the environment to operate in FIPS–migration mode. FIPS–migration mode lets you transition a 12.52 SP1 environment running in FIPS–compatibility mode to FIPS–only mode. In FIPS–migration mode, the 12.52 SP1 environment continues to use existing CA SiteMinder® encryption algorithms as you re–encrypt existing sensitive data using FIPS-compliant algorithms.
  2. Configure FIPS–only mode—In stage two you configure your environment to operate in FIPS–only mode. In FIPS–only mode, the environment only uses FIPS–compliant algorithms to encrypt sensitive data.

    Important! An environment that is running in FIPS–only mode cannot interoperate with and is not backward compatible to versions of CA SiteMinder® before 12.x, including:

    Re–link all such software with the 12.52 SP1 versions of the respective SDKs to achieve the required support for FIPS–only mode.

FIPS 140-2 Migration Requirements

Ensure that your environment meets the minimum requirements before migrating the environment to only use FIPS-compliant algorithms. You may want to print the following to use as a checklist: