Administration Guide › FIPS-140 Support › Migration to FIPS ONLY Mode

Migration to FIPS ONLY Mode

If the SiteMinder Policy Server is in FIPS ONLY or FIPS COMPAT mode, you can change the FIPS mode of SPS from FIPS COMPAT to FIPS ONLY after you upgrade.

Follow these steps:

1. Stop SPS services.
2. Set the value of the OPENSSL_FIPS environment variable to 1.
3. Perform one of the following steps:
   1. If you are changing the FIPS mode on Windows, set the CA_SM_PS_FIPS140 environment variable to ONLY.
   2. If you are changing the FIPS mode on UNIX, perform the following steps:
      1. Open the proxyserver.sh file.

         Default Path: sps-home/proxy-engine/proxyserver.sh

      2. Set the value of the CA_SM_PS_FIPS140 environment variable to ONLY.
4. Execute the following command from the command prompt:

   smreghost -i policy_server_ip_address -u administrator_user_name -p administrator_password -hn hostname_for_registration -hc host_config_object -f path_to_host_config_file -o -cf ONLY
   

   Example:

   smreghost -i localhost -u siteminder -p firewall -hn helloworld -hc host  -f "C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf" -o -cf  ONLY
   

5. Determine whether SPS is running in full SSL mode. If SSL is already enabled on Apache inside SPS, SSL must be disabled and reconfigured for FIPS ONLY mode.
6. Open the httpd-ssl.conf file.

   Default Path: sps_home\httpd\conf\extra\httpd-ssl.conf

7. Set the value of the SSLPassPhraseDialog variable to custom.
8. Uncomment the following line:

   SSLCustomPropertiesFile "<sps_home>/Tomcat/properties/spsssl.properties"
   

9. Set the value of the SSLCustomPropertiesFile variable to <sps_home>\httpd\conf\spsapachessl.properties.
10. Set the value of the SSLSpsFipsMode variable to ONLY.
11. Restart the computer.
12. Start SPS services.