CA SiteMinder® SPS supports the requirements for cryptographic modules specified in the FIPS 140-2 standard. When you install CA SiteMinder® SPS, a dialog appears that prompts you to select the level of FIPS support your operating configuration requires. If you are upgrading an existing CA SiteMinder® SPS installation, CA SiteMinder® SPS continues to work as before, that is, in COMPAT mode. You can change the mode manually using the smreghost command, as described in subsequent sections. Be sure to restart the system after a mode change so that the Web Agent, CA SiteMinder® SPS server, and the Apache server pick up the changes.
During a new installation you can select one of these three FIPS modes:
The FIPS mode you select during installation usually is the same as the FIPS mode configured on the Policy Server.When the Policy Server is in Migrate mode, it can operate with CA SiteMinder® SPS in any mode.
If you are upgrading from an earlier version and want to use FIPS-compliant algorithms, you can change the Web Agent inside CA SiteMinder® SPS from COMPAT mode to MIGRATE mode.
To set CA SiteMinder® SPS to FIPS MIGRATE mode
smreghost -i policy_server_ip_address -u administrator_user_name -p administrator_password -hn hostname_for_registration -hc host_config_object -f path_to_host_config_file -o -cf MIGRATE
Example:
smreghost -i localhost -u siteminder -p firewall -hn helloworld -hc host -f "C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf" -o -cf MIGRATE
The Web Agent inside CA SiteMinder® SPS is changed from FIPS COMPAT to FIPS MIGRATE mode.
After you install CA SiteMinder® SPS in FIPS ONLY mode, the following additional configuration steps are required:
If the SiteMinder Policy Server is in FIPS ONLY or FIPS COMPAT mode, you can change the FIPS mode of CA SiteMinder® SPS from FIPS COMPAT to FIPS ONLY after you upgrade.
Follow these steps:
Default Path: sps-home/proxy-engine/proxyserver.sh
smreghost -i policy_server_ip_address -u administrator_user_name -p administrator_password -hn hostname_for_registration -hc host_config_object -f path_to_host_config_file -o -cf ONLY
Example:
smreghost -i localhost -u siteminder -p firewall -hn helloworld -hc host -f "C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf" -o -cf ONLY
Default Path: sps_home\httpd\conf\extra\httpd-ssl.conf
SSLCustomPropertiesFile "<sps_home>/Tomcat/properties/spsssl.properties"
Copyright © 2014 CA Technologies.
All rights reserved.
|
|