CA SiteMinder® Federation Standalone Installation and Upgrade Guide › Migrate CA SiteMinder® Federation Standalone to Use FIPS Encryption › How to Migrate from FIPS_COMPAT Mode to FIPS_Only Mode › Set the CA SiteMinder® Federation Standalone UI to FIPS_Only Mode

Set the CA SiteMinder® Federation Standalone UI to FIPS_Only Mode

After re-encrypting all the necessary data to use FIPS-compatible algorithms, confirm that all the partnerships and the SSL configuration is FIPS-compatible.

Follow these steps:

1. Restart the federation services according to your operating environment.
   • Windows

     Use the stop and start shortcuts as follows. If you logged in as a network user and not a local administrator, right-click the shortcut and select Run as administrator.

     1. Start, All Programs, CA, Federation Standalone, Stop services
     2. Start, All Programs, CA, Federation Standalone, Start services
   • UNIX

     a. Open a command window.

     b. Run the following scripts:

     federation_install_dir/fedmanager.sh stop

     federation_install_dir/fedmanager.sh start

     Note: Do not stop and start the services as the root user.

2. Log in to the Administrative UI.
3. Navigate to Infrastructure, Deployment Settings.

   The Configure Deployment Settings dialog opens.

4. Verify that the Confirm button in the Deployment Settings section is active and the message Ready to Migrate to Only mode is set to Yes.

   If these two conditions are not met, one or more of the partnerships or the SSL configuration is not FIPS-enabled. A partnership is not FIPS-enabled because of the following reasons:

   • Redirect Mode setting in the Application Integration dialog using an open format cookie with a PBE algorithm.

     If you configure the Redirect Mode setting to use an open format cookie with a PBE encryption algorithm, the mode is not FIPS-compatible.

   • Delivery type for provisioning is set to the open-format cookie with a PBE algorithm.

     If you configure the Provisioning Delivery Type to use an open format cookie with a PBE encryption algorithm, this delivery mechanism is not FIPS-compatible.

   • Global open-format cookie settings for delegated authentication are set to the settings with a PBE algorithm.

     If you set the open-format cookie in the Deployment Settings dialog to use a PBE encryption algorithm, the cookie is not FIPS-compatible.

   To correct these problems, do the following:

   • If there are non-FIPS partnerships, deactivate these partnerships or verify that all such partnerships use FIPS-approved certificates and encryption algorithms.
   • If the SSL configuration is not FIPS approved, deactivate SSL and configure it again using FIPS-approved certificates.
5. Click Confirm to migrate the UI to FIPS_ONLY mode.

The Administrative UI is now operating in FIPS_ONLY mode.