Previous Topic: FIPS 140-2 Migration OverviewNext Topic: How to Re-Encrypt Existing Sensitive Data


Migration Roadmap—Re-Encrypt Sensitive Data

Before your environment can operate in FIPS-only mode, you must:

The following figure illustrates a sample 12.52 SP1 environment and details:

  1. Each Policy Server in the environment is set to operate in FIPS-migration mode.
  2. Each CA SiteMinder® Agent, including custom Agents, in the environment is set to operate in FIPS-migration mode.

    The shared secrets that the Policy Servers and Agents use to establish encrypted communication channels are encrypted using algorithms that are not FIPS–compliant. Re-encrypt the shared secrets before configuring the environment for FIPS-only mode.

  3. Keys and sensitive policy store data is re-encrypted.

    Note: The previous figure depicts a single database instance as a policy/key store. Your environment can use separate database instances for individual policy and key stores.

    Sensitive data stored in a policy store or policy and key stores is encrypted using algorithms that are not FIPS–compliant. Re-encrypt the keys and sensitive policy store data before configuring the environment for FIPS-only mode.

  4. (Optional) If your environment uses basic password services, a Policy Server operating in FIPS-migration mode re-encrypts each Password Blob with FIPS–compliant algorithms when the respective user is challenged for authentication. To prevent users from losing their password history and being locked out, identify the Password Blobs that the Policy Server did not re-encrypt and notify users to log in or to change their password.

    Note: How the password policy is configured determines when the Policy Server re-encrypts the Password Blob: