Previous Topic: FIPS Migration Issues to ConsiderNext Topic: Deactivate the SSL Configuration

CA SiteMinder® Federation Standalone Installation and Upgrade GuideMigrate CA SiteMinder® Federation Standalone to Use FIPS EncryptionHow to Migrate from FIPS_COMPAT Mode to FIPS_Only Mode

How to Migrate from FIPS_COMPAT Mode to FIPS_Only Mode

The securing of sensitive data using the robust encryption algorithms provided by FIPS helps protect the data from security breaches and makes the federation system more secure overall.

You can migrate your federation system to operate using only FIPS-compatible encryption algorithms to secure sensitive data.

You can install CA SiteMinder® Federation Standalone in one of the following FIPS modes of operation:

FIPS_COMPAT

FIPS_COMPAT (compatibility) mode is the default FIPS mode of operation during installation. In FIPS_COMPAT mode, the federation system continues to support the current set of non-FIPS algorithms as well as the supported FIPS-compliant algorithms.

FIPS_COMPAT mode is compatible with previous versions of federation. This compatibility enables environments with a version earlier than 12.52 to interoperate with 12.52. FIPS_COMPAT is also suitable for any clients who are satisfied with the degree of security available in the current federation implementation.

If your organization does not require the use of FIPS, install CA SiteMinder® Federation Standalone in FIPS_COMPAT mode. No further configuration is required.

FIPS_ONLY

In FIPS_ONLY mode, the environment uses only FIPS-compliant algorithms to encrypt sensitive data.

Install CA SiteMinder® Federation Standalone in FIPS_ONLY mode for new installations where you want to use only FIPS-compliant algorithms.

The product allows only a one-way migration path from FIPS_COMPAT mode, which is the default mode through MIGRATE mode to FIPS_ONLY mode. FIPS_MIGRATE mode lets you transition your federation environment running in FIPS_COMPAT mode to FIPS_ONLY mode. In MIGRATE mode, the federation system continues using existing encryption algorithms for existing data as you migrate your environment to FIPS_ONLY mode. However, any new data requiring encryption is encrypted using only FIPS-compliant algorithms.

Important! An environment operating in FIPS_ONLY mode cannot interoperate with, or be backward compatible with earlier versions of federation, which includes custom software using older versions of federation APIs. If you have custom software built with pre-12.52SDKs, recompile this software using the 12.52 SDKs to achieve the required support for FIPS_ONLY mode.

To migrate a federation system to FIPS_ONLY mode:

  1. Back up your existing configuration.
  2. Set the OPENSSL_FIPS environment variable.
  3. Set the policy engine to FIPS_MIGRATE mode.
  4. Reencrypt the policy store key.
  5. Reencrypt the policy store administrator password.
  6. Reencrypt the CA SiteMinder® super user password.
  7. Reencrypt client shared secrets.
  8. Reencrypt policy and key store data.
  9. Set the Administrative UI to FIPS_ONLY mode.
  10. Set the embedded secure proxy engine to FIPS_ONLY mode.
  11. Set the embedded policy engine to FIPS_ONLY mode.

Important! After you migrate to FIPS_ONLY mode, partnerships configured with non-FIPS approved certificates stop working and consequently, partnerships stop working. Reencrypt partnership data using FIPS-compliant algorithms before migrating to FIPS_ONLY operation.

The following sections describe each procedure in detail.