Previous Topic: FIPS 140-2 Migration Requirements

Next Topic: How to Re-Encrypt Existing Sensitive Data

Migration Roadmap—Re-Encrypt Sensitive Data

Before your environment can operate in FIPS-only mode, you must:

The following figure illustrates a sample r12.0 SP2 environment and details:

  1. Each Policy Server in the environment is set to operate in FIPS-migration mode.
  2. Each SiteMinder Web agent, including custom Agents, in the environment is set to operate in FIPS-migration mode.

    The shared secrets that the Policy Servers and Agents use to establish encrypted communication channels are encrypted using algorithms that are not FIPS compliant. Re-encrypt the shared secrets before configuring the environment for FIPS-only mode.

  3. Keys and sensitive policy store data is re-encrypted.

    Note: The previous figure depicts a single database instance as a policy/key store. Your environment may use separate database instances for individual policy and key stores.

    Sensitive data stored in a policy store or policy and key stores is encrypted using algorithms that are not FIPS compliant. Re-encrypt the keys and sensitive policy store data before configuring the environment for FIPS-only mode.

  4. (Optional) If your environment uses Basic Password Services, a Policy Server operating in FIPS-migration mode re-encrypts each Password Blob with FIPS compliant algorithms when the respective user is challenged for authentication. To prevent users from losing their password history and being locked out, identify the Password Blobs that the Policy Server did not re-encrypt and notify users that they must log in or change their password.

    Note: How the password policy is configured determines when the Policy Server re-encrypts the Password Blob:


Copyright © 2010 CA. All rights reserved. Email CA about this topic