Previous Topic: Set an Agent to FIPS-only Mode

Next Topic: How to Re–Register an Administrative UI Configured for Internal Authentication

Set the Policy Server to FIPS-only Mode

Setting the Policy Server to FIPS-only mode configures the Policy Server to only read and write encrypted information using FIPS-compliant algorithms.

Important! Password Services locks out users whose Password Blobs are not re-encrypted when the Policy Server is operating in FIPS-only mode. A user cannot regain access until you have deleted the Password Blob and cleared any disabled flags. Deleting the Password Blob results in the loss of the user's password history.

Note: More information on identifying Password Blobs that are not re-encrypted exists in Verify that Password Blobs are Re-encrypted.

To set the Policy Server to FIPS-only mode

  1. Open a command prompt from the machine hosting the Policy Server and run the following command:
    setFIPSonly
    

    ONLY appears in the command window.

  2. Stop the Policy Server.

    Note: More information on stopping and starting the Policy Server exists in the Policy Server Administration Guide.

  3. Do one of the following:
    1. If the Policy Server is installed on a Windows system, reboot the machine.
    2. If the Policy Server is installed on a UNIX system, log in as the user who is used to start the Policy Server.
  4. Start the Policy Server.
  5. Open the smps.log file and verify that the following line appears:
    Policy Server employing only FIPS-140 cryptographic algorithms.
    
  6. Close the log file.

    The Policy Server is set to operate in FIPS-only mode.

  7. Repeat the latter steps for each Policy Server in the environment.

You may now re-register each Administrative UI with its respective Policy Server.


Copyright © 2010 CA. All rights reserved. Email CA about this topic