Previous Topic: Using FIPS-Compliant Algorithms

Next Topic: FIPS 140-2 Migration Requirements

FIPS 140-2 Migration Overview

The Policy Server uses certified Federal Information Processing Standard (FIPS) 140–2 compliant cryptographic libraries. FIPS is a US government computer security standard used to accredit cryptographic modules that meet the Advanced Encryption Standard (AES). These libraries provide a FIPS mode of operation when a SiteMinder environment only uses FIPS–compliant algorithms to encrypt sensitive data. A SiteMinder environment can operate in one of the following FIPS modes of operation:

By default, a SiteMinder environment upgraded to r12.0 SP2 is operating in FIPS–compatibility mode. In FIPS–compatibility mode, the environment uses algorithms existing in previous versions of SiteMinder to encrypt sensitive data and is compatible with previous versions SiteMinder. If your organization does not require the use of FIPS–compliant algorithms, the Policy Server can operate in FIPS–compatibility mode without further configuration.

Migrating your environment to use only FIPS–compliant algorithms is comprised of two stages.

  1. Re–encrypt existing sensitive data—In stage one, you configure the environment to operate in FIPS–migration mode. FIPS–migration mode lets you transition an r12.0 SP2 environment running in FIPS–compatibility mode to FIPS–only mode. In FIPS–migration mode, the r12.0 SP2 environment continues to use existing SiteMinder encryption algorithms as you re–encrypt existing sensitive data using FIPS-compliant algorithms.
  2. Configure FIPS–only mode—In stage two you configure your environment to operate in FIPS–only mode. In FIPS–only mode, the environment only uses FIPS–compliant algorithms to encrypt sensitive data.

    Important! An environment that is running in FIPS–only mode cannot interoperate with and is not backward compatible to earlier versions of SiteMinder. This includes all agents, custom software using older versions of the Agent API, and custom software using PM APIs or any other API that the Policy Server exposes. Re–link all such software with the r12.0 SP2 versions of the respective SDKs to achieve the required support for FIPS–only mode.

Note: More information on the FIPS Certified Module and the algorithms being used; the data that is being protected; and the SiteMinder Cryptographic Boundary exists in the Policy Server Administration Guide.


Copyright © 2010 CA. All rights reserved. Email CA about this topic