Previous Topic: How to Configure a Parallel EnvironmentNext Topic: Troubleshoot a SiteMinder Key Database Migration


Using FIPS-Compliant Algorithms

This section contains the following topics:

FIPS 140-2 Migration Overview

FIPS 140-2 Migration Requirements

Migration Roadmap—Re-Encrypt Sensitive Data

How to Re-Encrypt Existing Sensitive Data

Migration Roadmap—Configure FIPS-Only Mode

How to Configure FIPS-only Mode

FIPS 140-2 Migration Overview

The Policy Server uses certified Federal Information Processing Standard (FIPS) 140–2 compliant cryptographic libraries. FIPS is a US government computer security standard that is used to accredit cryptographic modules that meet the Advanced Encryption Standard (AES). These libraries provide a FIPS mode of operation when a CA SiteMinder® environment only uses FIPS–compliant algorithms to encrypt sensitive data. A CA SiteMinder® environment can operate in one of the following FIPS modes of operation:

By default, an environment that is upgraded to 12.52 is operating in FIPS–compatibility mode. In FIPS–compatibility mode, the environment uses algorithms existing in previous versions of CA SiteMinder® to encrypt sensitive data and is compatible with previous versions CA SiteMinder®. If your organization does not require the use of FIPS–compliant algorithms, the environment can operate in FIPS–compatibility mode without further configuration.

Migrating your environment to use only FIPS–compliant algorithms is comprised of two stages.

  1. Re–encrypt existing sensitive data—In stage one, you configure the environment to operate in FIPS–migration mode. FIPS–migration mode lets you transition a 12.52 environment running in FIPS–compatibility mode to FIPS–only mode. In FIPS–migration mode, the 12.52 environment continues to use existing CA SiteMinder® encryption algorithms as you re–encrypt existing sensitive data using FIPS-compliant algorithms.
  2. Configure FIPS–only mode—In stage two you configure your environment to operate in FIPS–only mode. In FIPS–only mode, the environment only uses FIPS–compliant algorithms to encrypt sensitive data.

    Important! An environment that is running in FIPS–only mode cannot interoperate with and is not backward compatible to versions of CA SiteMinder® before 12.x, including:

    Re–link all such software with the 12.52 versions of the respective SDKs to achieve the required support for FIPS–only mode.

FIPS 140-2 Migration Requirements

Ensure that your environment meets the minimum requirements before migrating the environment to only use FIPS-compliant algorithms. You may want to print the following to use as a checklist:

Migration Roadmap—Re-Encrypt Sensitive Data

Before your environment can operate in FIPS-only mode, you must:

The following figure illustrates a sample 12.52 environment and details:

  1. Each Policy Server in the environment is set to operate in FIPS-migration mode.
  2. Each CA SiteMinder® Agent, including custom Agents, in the environment is set to operate in FIPS-migration mode.

    The shared secrets that the Policy Servers and Agents use to establish encrypted communication channels are encrypted using algorithms that are not FIPS–compliant. Re-encrypt the shared secrets before configuring the environment for FIPS-only mode.

  3. Keys and sensitive policy store data is re-encrypted.

    Note: The previous figure depicts a single database instance as a policy/key store. Your environment can use separate database instances for individual policy and key stores.

    Sensitive data stored in a policy store or policy and key stores is encrypted using algorithms that are not FIPS–compliant. Re-encrypt the keys and sensitive policy store data before configuring the environment for FIPS-only mode.

  4. (Optional) If your environment uses basic password services, a Policy Server operating in FIPS-migration mode re-encrypts each Password Blob with FIPS–compliant algorithms when the respective user is challenged for authentication. To prevent users from losing their password history and being locked out, identify the Password Blobs that the Policy Server did not re-encrypt and notify users to log in or to change their password.

    Note: How the password policy is configured determines when the Policy Server re-encrypts the Password Blob:

How to Re-Encrypt Existing Sensitive Data

Complete the following procedures to re-encrypt existing sensitive data using FIPS-compliant algorithms:

  1. Gather environment information.
  2. Set FIPS-migration mode for all Policy Servers.
  3. Re-encrypt the policy store key.
  4. Re-encrypt the policy store administrator password.
  5. Re-encrypt the CA SiteMinder® Super User password.
  6. Set FIPS-migration mode for all Agents.
  7. Re-encrypt policy and key store data.
  8. (Optional) If your environment uses Basic Password Services, verify that Password Blobs are re-encrypted.
Gather Environment Information

Re-encrypting existing sensitive data while the Policy Server operates in FIPS-migration mode requires specific environment information.

Note: A FIPS information worksheet is provided to help you gather and record information prior to re-encrypting sensitive data. You may want to print this worksheet and use it to record required information.

More information:

FIPS Information Worksheet

Set a Policy Server to FIPS-Migration Mode

You set the Policy Servers to FIPS-migration mode so the environment can continue to use the existing CA SiteMinder® encryption algorithms as you re-encrypt existing sensitive data using FIPS-compliant algorithms.

Follow these steps:

  1. Open a command prompt on the computer hosting the Policy Server and run the following command:
    setFIPSmigration
    

    MIGRATION appears in the command window.

  2. Stop the Policy Server.

    Note: For more information about stopping and starting the Policy Server, see the Policy Server Administration Guide.

  3. Complete one of the following steps:
  4. Start the Policy Server.
  5. Open the smps.log file and verify that the following line appears:
    Policy Server migrating from classic SiteMinder to FIPS-140 cryptographic algorithms.
    
  6. Close the log file.

    The Policy Server is set to operate in FIPS-migration mode.

  7. Repeat the previous steps for each Policy Server in the environment.

You can now re-encrypt the policy store key for each Policy Server in the environment.

Re-encrypt a Policy Store Key

You re-encrypt the policy store key to replace the existing key with a version that is encrypted using FIPS-compliant algorithms.

To re-encrypt the policy store key

  1. Open a command prompt from the computer hosting the Policy server and run the following command:
    smreg -cf MIGRATE -key key_value
    
    -cf MIGRATE

    Specifies that smreg run in FIPS-migration mode.

    Note: When smreg runs in FIPS-migration mode, the policy store key is re-generated using FIPS-compliant algorithms.

    -key key value

    Specifies the current policy store key.

    smreg generates a new policy store key and encrypts it using FIPS-compliant algorithms.

  2. Open the EncryptionKey.txt file, and verify that a new encryption key is present and prefixed with a FIPS-compliant algorithm.

    Prefix example: {AES}

    The policy store key is re-encrypted.

  3. Repeat the latter steps for each Policy Server in the environment.

You may now re-encrypt the policy store administrator password.

Re-Encrypt the Policy Store Administrator Password

You re-encrypt the policy store administrator password to be sure that the data is encrypted using FIPS-compliant algorithms.

Follow these steps:

  1. Start the Policy Server Management Console, and click the Data tab.

    Note: For more information about starting the Policy Server Management Console, see the Policy Server Administration Guide.

  2. Re–enter the administrator password in the Password field, and click Apply.

    The administrator password is encrypted using FIPS-compliant algorithms.

  3. (Optional) If you have configured a separate database for one or more of the following stores, re-encrypt the administrator password for each:

    Important! A Policy Server operating in FIPS-only mode cannot decrypt a database password that remains encrypted with algorithms that are not FIPS–compliant.

You can now re-encrypt the CA SiteMinder® superuser password.

Re-encrypt the CA SiteMinder® Super User Password

You re-encrypt the CA SiteMinder® Super User password to ensure that the data is encrypted using FIPS-compliant algorithms.

Note: This is the password for the default administrator account. This account is used for all administrative tasks that do not require direct access to the Administrative UI. This is not the password for the Administrative UI administrator account with Super User privileges.

To reset the CA SiteMinder® Super User password, open a command prompt and run the following command:

smreg -cf MIGRATE -su password
-cf MIGRATE

Specifies that smreg run in FIPS-migration mode.

Note: When smreg runs in FIPS-migration mode, the existing Super User password is saved using FIPS-compliant algorithms.

password

Specifies the existing Super User password.

Note: You do not have to supply a new password. You are entering the same password to ensure that the data is encrypted using FIPS-compliant algorithms.

The CA SiteMinder® Super User password is encrypted using FIPS-compliant algorithms.

You may now set each of the Agents in the environment to FIPS-migration mode.

Set an Agent to FIPS-Migration Mode

You set the Agents to FIPS-migration mode so the environment can continue to use existing CA SiteMinder® encryption algorithms as you re-encrypt sensitive data using FIPS-compliant algorithms.

To change the FIPS mode of an agent

  1. Open the SmHost.conf file with a text editor.

    The following line appears in the file:

    fipsmode="COMPAT"
    
  2. Edit the line to read:
    fipsmode="MIGRATE"
    
  3. Save and close the file.
  4. Restart the machine that is hosting the Agent.

    The agent is operating in FIPS-migration mode.

  5. Repeat the previous steps for each machine in the environment on which a trusted hosted is registered.

You may now encrypt agent shared secrets.

Re-encrypt Client Shared Secrets

You re-encrypt the agent shared secrets to replace the existing secrets with secrets that are encrypted using FIPS-compliant algorithms. You re-encrypt shared secrets either:

Use the Administrative UI to Re-encrypt a Shared Secret

To rollover the shared secret from the Administrative UI

  1. Log into the Administrative UI and click Administration, Policy Server, Shared Secret Rollover.

    The Shared Secret Rollover pane appears.

  2. Select the Rollover Shared Secret every radio button.

    Rollover Now becomes active.

  3. Click Rollover Now.

    The Policy Server rolls over the shared secrets for all trusted hosts configured to allow shared secret rollover.

You may now re-encrypt sensitive policy and key data in the policy store.

Use smreghost to Re-encrypt a Shared Secret

To use smreghost to re-encrypt a shared secret

  1. Open a command prompt and run the following command:
    smreghost -i policy_server_ip_address -u administrator_user_name
    -p administrator_password -hn hostname_for_registration -hc host_config_object
    -f path_to_host_config_file -o -cf MIGRATE
    
    -i policy server ip address

    Specifies the IP address of the Policy Server to which the trusted host is registered.

    -u administrator user name

    Specifies the name of the CA SiteMinder® administrator with the rights to register a trusted host.

    - p administrator password

    Specifies the password of the administrator who is allowed to register a trusted host.

    -hn hostname for registration

    Specifies the current name of the host that is registered.

    -hc host configuration object

    Specifies the Host Configuration Object configured at the Policy Server.

    -f path to host config file

    Specifies the full path to the file that contains the registration data. The default file name is SmHost.conf.

    Note: If you do not specify a file path, the updated file is saved in the location where you are running smreghost.

    -o

    Overwrites an existing trusted host. If you do not use this argument, you will have to delete the existing trusted host using the Administrative UI. We recommend using smreghost with this argument.

    -cf MIGRATE

    Specifies that smreghost run in FIPS-migration mode.

    Note: When smreghost runs in FIPS-migration mode, the shared secret created and encrypted using FIPS-compliant algorithms.

    smreghost re-registers the trusted host and creates a new shared secret that is encrypted using FIPS-approved algorithms.

  2. Open the file that contains the trusted host registration data and verify that a new shared secret is present and prefixed with a FIPS-approved algorithm.

    The shared secret is encrypted using FIPS-compliant algorithms.

    Prefix example: {AES}

You may now re-encrypt sensitive policy and key data in the policy store.

Re-encrypt Policy and Key Store Data

You re-encrypt policy and key store data to ensure that sensitive data that is encrypted using existing CA SiteMinder® algorithms is encrypted using FIPS-compliant algorithms.

Options for Re-encrypting Policy and Key Store Data

There are three ways to re-encrypt policy and key store data. You can:

This guide details the steps for re-encrypting the policy and key store data for existing stores.

If you want to create a new 12.52 policy store or policy and key store:

  1. Export the key data using smkeyexport.

    Note: XPSExport does not export keys that are stored in a policy or key store. More information on using smkeyexport exists in the Policy Server Administration Guide.

  2. Export the policy store data using XPSExport.

    Note: More information on using XPSExport exists in the Policy Server Administration Guide.

  3. Create a 12.52 policy store or policy and key store.

    Note: More information on creating a policy and key stores exists in the Policy Server Installation Guide.

  4. Import the key data into the new policy store, or if created, the new key store using smkeyimport.

    Note: More information on using smkeyimport exists in the Policy Server Administration Guide.

  5. Import the policy store data into the new policy store using XPSImport.

    Note: More information on using XPSImport exists in the Policy Server Administration Guide.

Re-encrypt Keys Stored in the Policy or Key Store

You re-encrypt the keys stored in the policy or key store to replace the existing keys with versions that are encrypted using FIPS-compliant algorithms.

To re-encrypt the keys stored in the policy or key store

  1. Open a command prompt from the computer hosting the Policy server and run the following command:
    smkeyexport -dadmin_name -wadmin_password -ooutput_file_name -l -v -t -cf
    
    -dadmin_name

    Specifies the name of the CA SiteMinder® administrator account.

    -wadmin_password

    Specifies the password for the CA SiteMinder® administrator account.

    -ooutput_file_name

    (Optional) Specifies the name of the exported file. If you do not specify a file name, the default file name is stdout.smdif.

    Note: Ensure that the file name contains the .smdif extension.

    Example: pskeys.smdif

    -l

    Specifies that a log file be created.

    -v

    (Optional) Enables verbose mode for troubleshooting.

    -t

    (Optional) Enables tracing for troubleshooting.

    -cf

    Specifies that smkeyexport run in FIPS-migration mode.

    Note: When smkeyexport runs in FIPS-migration mode, the keys stored in the policy store are exported and re-encrypted using FIPS-compliant algorithms.

    smkeyexport exports an smdif file that contains the re-encrypted keys.

  2. Run the following command:
    smkeyimport -iinput_file_name -dadmin_name -wadmin_password -l -v -t -cf
    
    -iinput_file_name

    Specifies the name of the file output file you created.

    Note: Ensure that the file name you specify includes the .smdif extension.

    -dadmin_name

    Specifies the name of the CA SiteMinder® administrator account.

    -wadmin_password

    Specifies the password for the CA SiteMinder® administrator account.

    -l

    Specifies that a log file be created.

    -v

    (Optional) Enables verbose mode for troubleshooting.

    -t

    (Optional) Enables tracing for troubleshooting.

    -cf

    Specifies that smkeyimport run in FIPS-migration mode.

    smkeyimport imports the re-encrypted keys into the respective store.

You may now re-encrypt policy store data.

Re-encrypt the Policy Store Data

To re-encrypt the policy store data

  1. Open a command prompt from the machine hosting the Policy Server and navigate to the location to which you want to export the policy store data file.
  2. Run the following command:
    XPSExport outputfile -xe -xp -pass <passphrase> -vT -vI -vW -vE -vF -e file_name -l log_file
    

    Note: Although you can use XPSExport to export one or more granular objects, this procedure provides the arguments for exporting all of the policy store data. This ensures that the export includes all of the sensitive data. More information on exporting one or more granular objects exists in the Policy Server Administration Guide.

    outputfile

    Specifies the name of the XML output file.

    Note: The file name must be unique. The export fails if a file with the same name exists.

    Example: psdata

    -xe

    Exports the object types that are related to the execution environment.

    -xp

    Exports the object types that are related to the policies.

    -pass <passphrase>

    Specifies a passphrase required for encryption of sensitive data. Record this value as it is required to import the sensitive data back into the policy store.

    Limit: The passphrase must be contain at least:

    • Eight (8) characters
    • One (1) digit
    • One (1) upper-case character
    • One (1) lower-case character

    Note: If the passphrase contains spaces, enclose it in quotes (").

    -vT

    (Optional) Sets verbosity level to TRACE.

    -vI

    (Optional) Sets verbosity level to INFO.

    -vW

    (Optional) Sets verbosity level to WARNING (default).

    -vE

    (Optional) Sets verbosity level to ERROR.

    -vF

    (Optional) Sets verbosity level to FATAL.

    -l log_path

    (Optional) Outputs log to the specified path.

    -e file_name

    (Optional) Specifies the file to which errors and exceptions are logged. If omitted, stderr is used.

    XPSExport exports the policy store data and places the data file in the directory from which you ran the tool.

  3. Run the following command:
    XPSImport input_file -pass <passphrase> -vT -vI -vW -vE -vF -l log_path
    
    input_file

    Specifies the input XML file.

    -pass <passphrase>

    Specifies the passphrase required for the decryption of sensitive data.

    Limit: The phrase must match the phrase you specified during export or the decryption fails.

    -vT

    (Optional) Sets verbosity level to TRACE.

    -vI

    (Optional) Sets verbosity level to INFO.

    -vW

    (Optional) Sets verbosity level to WARNING (default).

    -vE

    (Optional) Sets verbosity level to ERROR.

    -vF

    (Optional) Sets verbosity level to FATAL.

    -l log_path

    (Optional) Outputs log to the specified path.

    -e file_name

    (Optional) Specifies the file to which errors and exceptions are logged. If omitted, stderr is used.

    XPSImport imports the data into the policy store. Sensitive data is encrypted using FIPS-compliant algorithms.

If your environment users Basic Password Services, you may now verify that the Password Blobs are re-encrypted using FIPS-approved algorithms.

Verify that Password Blobs are Re-encrypted

You verify that the Policy Server has re-encrypted every Password Blob in the user store to prevent users from losing their password history and being locked out by Password Services.

When you configured the user store connection for password policies, you specified the Password Data user profile attribute. This value represents where Password Blobs are stored in the user store and is the value you use to identify Password Blobs that are not re-encrypted.

To verify that Password Blobs are re-encrypted

  1. Using the directory server or database-specific tool, search for Password Data entries that are not prefixed with:
    {AES}
    

    Example: If "audio" is the value you specified in the Password Data field when configuring the user store connection, search for all entries stored in "audio" that are not prefixed with {AES}.

  2. Identify the users whose Password Blobs are not prefixed with {AES}. The Policy Server has not re-encrypted these Password Blobs.
  3. Notify these users that they must either log in or change their password.

    Note: How the password policy is configured determines when the Policy Server re-encrypts the Password Blob:

Important! Password Services locks out users whose Password Blobs are not re-encrypted when the Policy Server is operating in FIPS-only mode. A user cannot regain access until you have deleted the Password Blob and cleared any disabled flags. Deleting the Password Blob results in the loss of the user's password history.

Migration Roadmap—Configure FIPS-Only Mode

The following diagram illustrates a sample 12.52 environment operating in FIPS-migration mode and lists the order in which you configure each component and connection to operate in FIPS-only mode.

The shaded components represent sensitive data that must be re-encrypted using FIPS-approved algorithms. Do not continue with the migration process until you have:

  1. Each Policy Server in the environment is set to operate in FIPS-only mode.
  2. Each CA SiteMinder® Web Agent, including custom Agents, is set to operate in FIPS-only mode.
  3. The existing connection between each Administrative UI and its respective Policy Server is encrypted using algorithms that are not FIPS compliant. Re-register each Administrative UI with its respective Policy Server to encrypt the connection using FIPS-compliant algorithms.
  4. The existing connection between a Report Server and a Policy Server is encrypted using algorithms that are not FIPS compliant. Re-register each Report Server with its respective Policy Server to encrypt the connection using FIPS-compliant algorithms.

How to Configure FIPS-only Mode

Complete the following procedures to be sure that your environment only encrypts sensitive data using FIPs–compliant algorithms:

  1. Set each Agent in the environment to FIPS–only mode.
  2. Set each Policy Server in the environment to FIPS–only mode.
  3. Re–register an Administrative UI with its respective Policy Server. Consider the following:

    Note: Repeat this step until all Administrative UI connections are re–registered.

  4. Re–register a Report Server with its respective Policy Server.

    Note: Repeat this step until all Report Server connections are re–registered.

Set an Agent to FIPS-only Mode

You set an Agent to FIPS-only mode to ensure that the Agent only accepts session keys, Agent Keys, and shared secrets that are encrypted using FIPS-compliant algorithms.

To set an Agent to FIPS-only mode

  1. Open the SmHost.conf file with a text editor.

    The following line appears in the file:

    fipsmode="MIGRATE"
    
  2. Edit the line to read:
    fipsmode="ONLY"
    
  3. Save and close the file.
  4. Restart the machine that is hosting the Agent.

    The agent is operating in FIPS-migration mode.

  5. Repeat the previous steps for each machine in the environment that is registered as a trusted hosted.

You may now set Policy Servers to operate in FIPS-only mode.

Set the Policy Server to FIPS-only Mode

Setting the Policy Server to FIPS–only mode configures the Policy Server to read and write encrypted information using FIPS–compliant algorithms only.

Important! Password Services locks out users whose Password Blobs are not re-encrypted when the Policy Server is operating in FIPS-only mode. A user cannot regain access until you have deleted the Password Blob and cleared any disabled flags. Deleting the Password Blob results in the loss of the user's password history.

Note: For more information about identifying Password Blobs that are not re–encrypted, see Verify that Password Blobs are Re-encrypted.

Follow these steps:

  1. Open a command prompt from the Policy Server host system and run the following command:
    setFIPSonly
    

    ONLY appears in the command window.

  2. Stop the Policy Server.

    Note: For more information about stopping and starting the Policy Server, see the Policy Server Administration Guide.

  3. Do one of the following steps:
  4. Start the Policy Server.
  5. Open the smps.log file and verify that the following line appears:
    Policy Server employing only FIPS-140 cryptographic algorithms.
    
  6. Close the log file.

    The Policy Server is set to operate in FIPS-only mode.

  7. Repeat the latter steps for each Policy Server in the environment.

You can now re–register each Administrative UI with its respective Policy Server.

How to Re–Register an Administrative UI Configured for Internal Authentication

Existing CA SiteMinder® algorithms continue to encrypt the shared secret that the Administrative UI and the Policy Server use to establish an encrypted connection. Re–registering the Administrative UI creates a new shared secret that is encrypted using FIPS–compliant algorithms.

Complete the following procedures to re–register an Administrative UI configured for internal authentication:

  1. Stop the application server.
  2. Delete the Administrative UI data directory.
  3. Reset the Administrative UI registration window.
  4. Start the application server.
  5. Register the Administrative UI.
Stop the Application Server

To stop the application server

  1. Log into the Administrative UI host system.
  2. Do one of the following:

    Note: For more information about stopping the application server, see the Policy Server Installation Guide.

Delete the Administrative UI Data Directory

Delete the Administrative UI data directory to remove the existing trusted connection between the Administrative UI and the Policy Server.

To delete the Administrative UI data directory

  1. Log into the Administrative UI host system.
  2. Do one of the following:

    The Administrative UI data dictionary is deleted.

Reset the Administrative UI Registration Window

Reset the registration window to submit the credentials of any super user in the policy store. The Policy Server uses these credentials to verify that the registration request is valid and that the relationship between the Administrative UI and the Policy Server can be trusted.

To reset the Administrative UI registration window

  1. Log into the Policy Server host system.
  2. Run the following command:
    XPSRegClient siteminder_administrator[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l
    log_path -e error_path -vT -vI -vW -vE -vF
    
    siteminder_administrator

    Specifies a CA SiteMinder® administrator with super user permissions.

    Note: If a super user account is not available, use the smreg utility to create the default CA SiteMinder® account.

    passphrase

    Specifies the password for the CA SiteMinder® administrator account.

    Note: If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm it.

    -adminui-setup

    Specifies that the Administrative UI is being re–registered with a Policy Server.

    -t timeout

    (Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.

    Unit of measurement: minutes

    Default: 240 (4 hours)

    Minimum limit: 1

    Maximum limit: 1440 (24 hours)

    -r retries

    (Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect CA SiteMinder® administrator credentials when logging into the Administrative UI to complete the registration process.

    Default: 1

    Maximum limit: 5

    -c comment

    (Optional) Inserts the specified comments into the registration log file for informational purposes.

    Note: Surround comments with quotes.

    -cp

    (Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.

    Note: Surround comments with quotes.

    -l log path

    (Optional) Specifies where the registration log file must be exported.

    Default: siteminder_home\log

    siteminder_home

    Specifies the Policy Server installation path.

    -e error path

    (Optional) Sends exceptions to the specified path.

    Default: stderr

    -vT

    (Optional) Sets the verbosity level to TRACE.

    -vI

    (Optional) Sets the verbosity level to INFO.

    -vW

    (Optional) Sets the verbosity level to WARNING.

    -vE

    (Optional) Sets the verbosity level to ERROR.

    -vF

    (Optional) Sets the verbosity level to FATAL.

  3. Press Enter.

    XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log into the Administrative UI.

Start the Application Server

To start the application server

  1. Log into the Administrative UI host system.
  2. Do one of the following:

    Note: For more information about starting the application server, see the Policy Server Installation Guide.

Register the Administrative UI

Register the Administrative UI to create a new shared secret that is encrypted using FIPS–compliant algorithms.

Note: For more information about registering the Administrative UI, see the Policy Server Installation Guide.

How to Re–Register an Administrative UI Configured for External Authentication

Existing CA SiteMinder® algorithms continue to encrypt the shared secret that the Administrative UI and the Policy Server use to establish an encrypted connection. Re–registering the Administrative UI creates a new shared secret that is encrypted using FIPS–compliant algorithms.

Complete the following procedures to re–register an Administrative UI configured for external authentication:

  1. Delete the existing connection between the Administrative UI and the Policy Server.
  2. Run the Administrative UI registration tool.
  3. Gather registration information.
  4. Configure the Administrative UI and Policy Server connection.
  5. Delete the previous trusted host.
Delete an Administrative UI Connection to the Policy Server

You delete the Administrative UI connection to the Policy Server so that you can re–register the connection.

To delete the Administrative UI connection to the Policy Server

  1. Log into the Administrative UI and click Administration, Admin UI.

    A list of connection types appears.

  2. Click Policy Server Connections, Delete Policy Server Connection.

    The Delete Policy Server Connection pane appears.

  3. Enter search criteria, and click Search.

    Connections matching your criteria appear.

  4. Select the connection you want to delete, and click Select.

    You are prompted to confirm the request.

  5. Click Yes.

    The connection between the Administrative UI and the Policy Server is deleted.

Run the Registration Tool

You run the Administrative UI registration tool to create a client name and passphrase. A client name and passphrase pairing are values that the Policy Server uses to identify the Administrative UI you are registering. You submit the client and passphrase values from the Administrative UI to complete the registration process.

To run the registration tool

  1. Open a command prompt from the Policy Server host system.
  2. Run the following command:
    XPSRegClient client_name[:passphrase] -adminui -t timeout -r retries -c comment -cp -l log_path -e error_path
    -vT -vI -vW -vE -vF
    

    Note: Inserting a space between client_name and [:passphrase] results in an error.

    client_name

    Identifies the Administrative UI being registered.

    Limit: This value must be unique. For example, if you have previously used smui1 to register an Administrative UI, enter smui2.

    Note: Record this value. This value is to complete the registration process from the Administrative UI.

    passphrase

    Specifies the password required to complete the registration of the Administrative UI.

    Limits:

    • The passphrase must contain at least six (6) characters.
    • The passphrase cannot include an ampersand (&) or an asterisk (*).
    • If the passphrase contains a space, it must be enclosed in quotation marks.
    • If you are registering the Administrative UI as part of an upgrade, you can reuse a previous passphrase.

    Note: If you do not specify the passphrase in this step, XPSRegClient prompts you to enter and confirm one.

    Important! Record the passphrase, so that you can refer to it later.

    -adminui

    Specifies that an Administrative UI is being registered.

    -t timeout

    (Optional) Specifies how long you have to complete the registration process from the Administrative UI. The Policy Server denies the registration request when the timeout value is reached.

    Unit of measurement: minutes

    Default: 240 (four hours)

    Minimum Limit: 1

    Maximum Limit: 1440 (one day)

    -r retries

    (Optional) Specifies how many failed attempts are allowed when you complete the registration process from the Administrative UI. A failed attempt can result from an incorrect client name or passphrase submitted to the Policy Server during the registration process.

    Default: 1

    Maximum Limit: 5

    -c comment

    (Optional) Inserts the specified comments into the registration log file for informational purposes.

    Note: Surround comments with quotes.

    -cp

    (Optional) Specifies that registration log file can contain multiple lines of comments. The registration tool prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.

    Note: Surround comments with quotes.

    -l log_path

    (Optional) Specifies where to export the registration log file.

    Default: siteminder_home\log

    siteminder_home

    Specifies the Policy Server installation path.

    -e error_path

    (Optional) Sends exceptions to the specified path.

    Default: stderr

    -vT

    (Optional) Sets the verbosity level to TRACE.

    -vI

    (Optional) Sets the verbosity level to INFO.

    -vW

    (Optional) Sets the verbosity level to WARNING.

    -vE

    (Optional) Sets the verbosity level to ERROR.

    -vF

    (Optional) Sets the verbosity level to FATAL.

    The registration tool lists the name of the registration log file and prompts for a passphrase.

  3. Press Enter.

    The registration tool creates the client name and passphrase pairing.

You can now register the Administrative UI with a Policy Server. You complete the registration process from the Administrative UI.

Gather Registration Information

The Administrative UI requires specific information about the Policy Server and the client name and passphrase you created to complete the registration process. Gather the following information before logging into the Administrative UI:

Note: A worksheet is provided to help you gather and record information before registering the Administrative UI.

Configure the Connection to the Policy Server

You configure the Administrative UI and Policy Server connection so CA SiteMinder® administrators can use the Administrative UI to manage policy information through the Policy Server. You configure the connection from the Administrative UI.

To configure the Administrative UI and Policy Server connection

  1. Open a supported web browser and enter the following:

    http://host.domain/iam/siteminder/adminui

    The Administrative UI login screen appears.

  2. Log in as a super user.
  3. Click Administration, Admin UI.
  4. Click Policy Server Connections, Register Policy Server Connection.

    The Register Policy Server Connection pane opens.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  5. Type a connection name in the Name field on the General group box.
  6. Type the name or IP address of the Policy Server host system in the Policy Server Host field.
  7. Type the Policy Server authentication port in the Policy Server Port field.

    Note: This value must match the value in the Authentication port (TCP) field on the Settings tab in the Policy Server Management Console. The default authentication port is 44442.

  8. Type the client name and passphrase you created using the registration tool in the fields on the General group box.
  9. Select the FIPS only mode radio button.
  10. Click Submit.

    The connection between the Administrative UI and Policy Server is configured. The shared secret the Administrative UI and Policy Server use to establish an encrypted connection is encrypted using FIPS-approved algorithms.

You have completed the process for re–registering the Administrative UI.

Delete the Previous Trusted Host

Re–registering the Administrative UI with a Policy Server creates a new trusted host. You delete the previous trusted host as it is no longer needed.

To delete the trusted host connection

  1. Log into the Administrative UI and click Infrastructure, Hosts.
  2. Click Trusted Hosts, Delete Trusted Host.

    The Delete Trusted Host pane appears.

  3. Search for and select the previous trusted host connection.

    Note: A trusted host that is created as a result of the Administrative UI registration process has the following description: Generated by XPSRegClient.

  4. Click Select.

    The Administrative UI prompts you to verify the selection.

    Important! Be sure that you delete the trusted host that was created the last time you registered the Administrative UI and not the new trusted host.

  5. Click Yes.

    The trusted host connection is deleted.

How to Re-Register the Report Server Connection

Re-registering the Report Server ensures that the connection between the Report Server and the Policy server is encrypted using FIPS-approved algorithms.

Complete the following steps to re-register a report server:

  1. Create the Report Server client name and passphrase.
  2. Gather registration information.
  3. Register the Report Server with the policy server.
Create a Client Name and Passphrase

You run the XPSRegClient utility to create a client name and passphrase. A client name and passphrase are:

To run the registration tool

  1. Open a command–line window from the Policy Server host system.
  2. Navigate to siteminder_home/bin.
    siteminder_home

    Specifies the Policy Server installation path.

  3. Run the following command:
    XPSRegClient client_name[:passphrase] -report -t timeout -r retries
    -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
    
    client_name

    Identifies the name of Report Server you are registering.

    Limit: The value must be unique. For example, if you have previously used reportserver1, enter reportserver2.

    Note: Record this value. This value is required to complete registration process from the Report Server host system.

    passphrase

    Specifies the password required to complete the Report Server registration.

    Limits: The passphrase

    • Must contain at least six (6) characters.
    • The passphrase cannot include an ampersand (&) or an asterisk (*).
    • If the passphrase contains a space, it must be enclosed in quotation marks.

    If you do not specify the passphrase in this step, XPSRegClient prompts you to enter and confirm it.

    Note: Record this value. This value is required to complete registration process from the Report Server host system.

    -report

    Specifies that a Report Server is being registered.

    -t timeout

    (Optional) Specifies how long you have to complete the registration process from the Report Server host system. The Policy Server denies the registration request when the timeout value is reached.

    Unit of measurement: minutes

    Default: 240 (4 hours)

    Minimum Limit: 1

    Maximum Limit: 1440 (one day)

    -r retries

    (Optional) Specifies how many failed attempts are allowed when you complete the registration process from the Report Server host system. A failed attempt can result from submitting an incorrect passphrase to the Policy Server during the registration.

    Default: 1

    Maximum Limit: 5

    -c comment

    (Optional) Inserts the specified comments into the registration log file for informational purposes.

    Note: Surround comments with quotes.

    -cp

    (Optional) Specifies that registration log file can contain multiple lines of comments. The registration tool prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.

    Note: Surround comment with quotes.

    -l log path

    (Optional) Specifies where the registration log file must be exported.

    Default: siteminder_home\log, where siteminder_home is where the Policy Server is installed.

    -e error path

    (Optional) Sends exceptions to the specified path.

    Default: stderr

    -vT

    (Optional) Sets the verbosity level to TRACE.

    -vI

    (Optional) Sets the verbosity level to INFO.

    -vW

    (Optional) Sets the verbosity level to WARNING.

    -vE

    (Optional) Sets the verbosity level to ERROR.

    -vF

    (Optional) Sets the verbosity level to FATAL.

    The utility lists the name of the registration log file. If you did not provide a passphrase, the utility prompts for one.

  4. Press Enter.

    The registration tool creates the client name and passphrase.

You can now register the Report Server with the Policy Server. You complete the registration process from the Report Server host system.

Gather Registration Information

Completing the registration process between the Report Server and the Policy Server requires specific information. Gather the following information before running the XPSRegClient utility from the Report Server host system.

Register the Report Server with the Policy Server

You register the Report Server with the Policy Server to create a trusted relationship between both components. You configure the connection from the Report Server host system using the Report Server registration tool.

To configure the connection to the Policy Server

  1. From the Report Server host system, open a command–line window and navigate to report_server_home/external/scripts.
    report_server_home

    Specifies the Report Server installation location.

    Default: (Windows) C:\Program Files\CA\SC\CommonReporting3

    Default: (UNIX) /opt/CA/SharedComponents/CommonReporting3

  2. Run one of the following commands:
    -pshost host_name

    Specifies the IP address or name of the Policy Server host system to which you are registering the Report Server.

    -client client_name

    Specifies the client name. The client name identifies the Report Server that you are registering.

    Note: This value must match the client name that you specified using the XPSRegClient utility when you registered the Report Server on the Policy Server host system.

    Example: If you specified "reportserver1" when using the XPSRegClient utility, enter "reportserver1".

    -passphrase passphrase

    Specifies the passphrase that is paired with the client name. The client name identifies the Report Server that you are registering.

    Note: This value must match the passphrase that you specified using the XPSRegClient utility when you registered the Report Server on the Policy Server host system.

    Example: If you specified CA SiteMinder® when using the XPSRegClient utility, enter CA SiteMinder®.

    -psport portnum

    (optional) Specifies the port on which the Policy Server is listening for the registration request.

    fipsmode

    Specifies how the communication between the Report Server and the Policy Server is encrypted.

    • Zero (0) specifies FIPS–compatibility mode
    • One (1) specifies FIPS–only mode.

    Default: 0

  3. Press Enter.

    You receive a message stating that the registration is successful. You have completed re–registering the Report Server with the Policy Server. The connection between the Report Server and the Policy Server is encrypted using FIPS-compliant algorithms.