Complete the following procedures to re-encrypt existing sensitive data using FIPS-compliant algorithms:
Re-encrypting existing sensitive data while the Policy Server operates in FIPS-migration mode requires specific environment information.
Specifies the Policy Server installation path.
Note: This is the account that is used for all administrative tasks that do not require direct access to the Administrative UI. These are not the credentials for the Administrative UI administrator account with Super User privileges.
You set the Policy Servers to FIPS-migration mode so the environment can continue to use the existing CA SiteMinder® encryption algorithms as you re-encrypt existing sensitive data using FIPS-compliant algorithms.
Follow these steps:
setFIPSmigration
MIGRATION appears in the command window.
Note: For more information about stopping and starting the Policy Server, see the Policy Server Administration Guide.
. ./ca_ps_env.ksh
Policy Server migrating from classic SiteMinder to FIPS-140 cryptographic algorithms.
The Policy Server is set to operate in FIPS-migration mode.
You can now re-encrypt the policy store key for each Policy Server in the environment.
You re-encrypt the policy store key to replace the existing key with a version that is encrypted using FIPS-compliant algorithms.
To re-encrypt the policy store key
smreg -cf MIGRATE -key key_value
Specifies that smreg run in FIPS-migration mode.
Note: When smreg runs in FIPS-migration mode, the policy store key is re-generated using FIPS-compliant algorithms.
Specifies the current policy store key.
smreg generates a new policy store key and encrypts it using FIPS-compliant algorithms.
Prefix example: {AES}
The policy store key is re-encrypted.
You may now re-encrypt the policy store administrator password.
You re-encrypt the policy store administrator password to be sure that the data is encrypted using FIPS-compliant algorithms.
Follow these steps:
Note: For more information about starting the Policy Server Management Console, see the Policy Server Administration Guide.
The administrator password is encrypted using FIPS-compliant algorithms.
Important! A Policy Server operating in FIPS-only mode cannot decrypt a database password that remains encrypted with algorithms that are not FIPS–compliant.
You can now re-encrypt the CA SiteMinder® superuser password.
You re-encrypt the CA SiteMinder® Super User password to ensure that the data is encrypted using FIPS-compliant algorithms.
Note: This is the password for the default administrator account. This account is used for all administrative tasks that do not require direct access to the Administrative UI. This is not the password for the Administrative UI administrator account with Super User privileges.
To reset the CA SiteMinder® Super User password, open a command prompt and run the following command:
smreg -cf MIGRATE -su password
Specifies that smreg run in FIPS-migration mode.
Note: When smreg runs in FIPS-migration mode, the existing Super User password is saved using FIPS-compliant algorithms.
Specifies the existing Super User password.
Note: You do not have to supply a new password. You are entering the same password to ensure that the data is encrypted using FIPS-compliant algorithms.
The CA SiteMinder® Super User password is encrypted using FIPS-compliant algorithms.
You may now set each of the Agents in the environment to FIPS-migration mode.
You set the Agents to FIPS-migration mode so the environment can continue to use existing CA SiteMinder® encryption algorithms as you re-encrypt sensitive data using FIPS-compliant algorithms.
To change the FIPS mode of an agent
The following line appears in the file:
fipsmode="COMPAT"
fipsmode="MIGRATE"
The agent is operating in FIPS-migration mode.
You may now encrypt agent shared secrets.
You re-encrypt the agent shared secrets to replace the existing secrets with secrets that are encrypted using FIPS-compliant algorithms. You re-encrypt shared secrets either:
Note: You only have to use smreghost if the agent was not configured for shared secret rollover when you registered the trusted host.
To rollover the shared secret from the Administrative UI
The Shared Secret Rollover pane appears.
Rollover Now becomes active.
The Policy Server rolls over the shared secrets for all trusted hosts configured to allow shared secret rollover.
You may now re-encrypt sensitive policy and key data in the policy store.
To use smreghost to re-encrypt a shared secret
smreghost -i policy_server_ip_address -u administrator_user_name -p administrator_password -hn hostname_for_registration -hc host_config_object -f path_to_host_config_file -o -cf MIGRATE
Specifies the IP address of the Policy Server to which the trusted host is registered.
Specifies the name of the CA SiteMinder® administrator with the rights to register a trusted host.
Specifies the password of the administrator who is allowed to register a trusted host.
Specifies the current name of the host that is registered.
Specifies the Host Configuration Object configured at the Policy Server.
Specifies the full path to the file that contains the registration data. The default file name is SmHost.conf.
Note: If you do not specify a file path, the updated file is saved in the location where you are running smreghost.
Overwrites an existing trusted host. If you do not use this argument, you will have to delete the existing trusted host using the Administrative UI. We recommend using smreghost with this argument.
Specifies that smreghost run in FIPS-migration mode.
Note: When smreghost runs in FIPS-migration mode, the shared secret created and encrypted using FIPS-compliant algorithms.
smreghost re-registers the trusted host and creates a new shared secret that is encrypted using FIPS-approved algorithms.
The shared secret is encrypted using FIPS-compliant algorithms.
Prefix example: {AES}
You may now re-encrypt sensitive policy and key data in the policy store.
You re-encrypt policy and key store data to ensure that sensitive data that is encrypted using existing CA SiteMinder® algorithms is encrypted using FIPS-compliant algorithms.
There are three ways to re-encrypt policy and key store data. You can:
This guide details the steps for re-encrypting the policy and key store data for existing stores.
If you want to create a new 12.52 SP1 policy store or policy and key store:
Note: XPSExport does not export keys that are stored in a policy or key store. More information on using smkeyexport exists in the Policy Server Administration Guide.
Note: More information on using XPSExport exists in the Policy Server Administration Guide.
Note: More information on creating a policy and key stores exists in the Policy Server Installation Guide.
Note: More information on using smkeyimport exists in the Policy Server Administration Guide.
Note: More information on using XPSImport exists in the Policy Server Administration Guide.
You re-encrypt the keys stored in the policy or key store to replace the existing keys with versions that are encrypted using FIPS-compliant algorithms.
To re-encrypt the keys stored in the policy or key store
smkeyexport -dadmin_name -wadmin_password -ooutput_file_name -l -v -t -cf
Specifies the name of the CA SiteMinder® administrator account.
Specifies the password for the CA SiteMinder® administrator account.
(Optional) Specifies the name of the exported file. If you do not specify a file name, the default file name is stdout.smdif.
Note: Ensure that the file name contains the .smdif extension.
Example: pskeys.smdif
Specifies that a log file be created.
(Optional) Enables verbose mode for troubleshooting.
(Optional) Enables tracing for troubleshooting.
Specifies that smkeyexport run in FIPS-migration mode.
Note: When smkeyexport runs in FIPS-migration mode, the keys stored in the policy store are exported and re-encrypted using FIPS-compliant algorithms.
smkeyexport exports an smdif file that contains the re-encrypted keys.
smkeyimport -iinput_file_name -dadmin_name -wadmin_password -l -v -t -cf
Specifies the name of the file output file you created.
Note: Ensure that the file name you specify includes the .smdif extension.
Specifies the name of the CA SiteMinder® administrator account.
Specifies the password for the CA SiteMinder® administrator account.
Specifies that a log file be created.
(Optional) Enables verbose mode for troubleshooting.
(Optional) Enables tracing for troubleshooting.
Specifies that smkeyimport run in FIPS-migration mode.
smkeyimport imports the re-encrypted keys into the respective store.
You may now re-encrypt policy store data.
To re-encrypt the policy store data
XPSExport outputfile -xe -xp -pass <passphrase> -vT -vI -vW -vE -vF -e file_name -l log_file
Note: Although you can use XPSExport to export one or more granular objects, this procedure provides the arguments for exporting all of the policy store data. This ensures that the export includes all of the sensitive data. More information on exporting one or more granular objects exists in the Policy Server Administration Guide.
Specifies the name of the XML output file.
Note: The file name must be unique. The export fails if a file with the same name exists.
Example: psdata
Exports the object types that are related to the execution environment.
Exports the object types that are related to the policies.
Specifies a passphrase required for encryption of sensitive data. Record this value as it is required to import the sensitive data back into the policy store.
Limit: The passphrase must be contain at least:
Note: If the passphrase contains spaces, enclose it in quotes (").
(Optional) Sets verbosity level to TRACE.
(Optional) Sets verbosity level to INFO.
(Optional) Sets verbosity level to WARNING (default).
(Optional) Sets verbosity level to ERROR.
(Optional) Sets verbosity level to FATAL.
(Optional) Outputs log to the specified path.
(Optional) Specifies the file to which errors and exceptions are logged. If omitted, stderr is used.
XPSExport exports the policy store data and places the data file in the directory from which you ran the tool.
XPSImport input_file -pass <passphrase> -vT -vI -vW -vE -vF -l log_path
Specifies the input XML file.
Specifies the passphrase required for the decryption of sensitive data.
Limit: The phrase must match the phrase you specified during export or the decryption fails.
(Optional) Sets verbosity level to TRACE.
(Optional) Sets verbosity level to INFO.
(Optional) Sets verbosity level to WARNING (default).
(Optional) Sets verbosity level to ERROR.
(Optional) Sets verbosity level to FATAL.
(Optional) Outputs log to the specified path.
(Optional) Specifies the file to which errors and exceptions are logged. If omitted, stderr is used.
XPSImport imports the data into the policy store. Sensitive data is encrypted using FIPS-compliant algorithms.
If your environment users Basic Password Services, you may now verify that the Password Blobs are re-encrypted using FIPS-approved algorithms.
You verify that the Policy Server has re-encrypted every Password Blob in the user store to prevent users from losing their password history and being locked out by Password Services.
When you configured the user store connection for password policies, you specified the Password Data user profile attribute. This value represents where Password Blobs are stored in the user store and is the value you use to identify Password Blobs that are not re-encrypted.
To verify that Password Blobs are re-encrypted
{AES}
Example: If "audio" is the value you specified in the Password Data field when configuring the user store connection, search for all entries stored in "audio" that are not prefixed with {AES}.
Note: How the password policy is configured determines when the Policy Server re-encrypts the Password Blob:
Important! Password Services locks out users whose Password Blobs are not re-encrypted when the Policy Server is operating in FIPS-only mode. A user cannot regain access until you have deleted the Password Blob and cleared any disabled flags. Deleting the Password Blob results in the loss of the user's password history.
Copyright © 2014 CA.
All rights reserved.
|
|