Implementation Guide › Installing CA User Activity Reporting Module › Upgrade Existing CA User Activity Reporting Module Servers and Agents for FIPS Support

Upgrade Existing CA User Activity Reporting Module Servers and Agents for FIPS Support

You can upgrade existing CA User Activity Reporting Module servers and agents for FIPS support using the Subscription Service. This upgrade process assumes the following:

• You installed CA User Activity Reporting Module r12.1, or upgraded to that level from r12.0 SP3.
• You want to enable FIPS mode for your CA User Activity Reporting Module federation.

Use the following process to upgrade your servers:

The upgrade and FIPS enablement process includes the following steps:

1. Upgrade the primary or Management server to r12.1 SP1.
2. If you use a remote CA EEM server, ensure that it is at a release level that supports FIPS operation. Upgrade all other CA User Activity Reporting Module servers in the federation to r12.1 SP1.
3. Upgrade all the agents to r12.1 SP1 and update the connector log sensors as needed.

   Important! If you deployed a connector that uses the syslog log sensor on a Windows host, update all of these connector configurations to use the latest syslog sensor for this release, when running in FIPS mode. Refer to the CA User Activity Reporting Module Product Integration Matrix for the latest list of integrations that use the syslog log sensor.

4. Disable ODBC and JDBC access to the event log store.
5. Enable FIPS mode on each of the secondary CA User Activity Reporting Module servers in the federation.

   Agents automatically detect the operating mode from the CA User Activity Reporting Module server that manages them.

6. Enable FIPS mode on the primary or Management server.
7. Verify that the agents are running in FIPS mode using the Agent Explorer dashboard.

   You can also verify that the agents are sending events using a query or report, or by examining the self monitoring events tab in the System Status Service area.

When you upgrade an existing agent to r12.1 SP1, the subscription processing updates the agent in non-FIPS mode by default. You set the FIPS mode for the CA User Activity Reporting Module server that manages an agent. An agent detects the FIPS mode of its managing server and restarts itself in the corresponding mode as needed. Use the Agent Explorer dashboard in the CA User Activity Reporting Module user interface to view the FIPS mode for an agent, if you have Administrator user privileges.

More information:

Subscription

Apply Subscription Updates to Agents and Connectors

View Agent Dashboard

Enable FIPS Mode Operation

Prerequisites for Upgrade for FIPS Support

The following are prerequisites for upgrading CA User Activity Reporting Module to support FIPS 140-2:

• Begin with an installation of either CA User Activity Reporting Module r12.0 SP3 or r12.1
• Upgrade to CA User Activity Reporting Module r12.1 SP1 through subscription

More information:

Adding New CA User Activity Reporting Module Servers to an Existing FIPS Mode Federation

Upgrade Guidelines

The following guidelines apply to upgrading to CA User Activity Reporting Module with FIPS support:

• If you have more than one CA User Activity Reporting Module server in a federation, upgrade the primary or Management CA User Activity Reporting Module server to r12.1 SP1 first. Then you can upgrade all other servers in any order. The upgraded server starts in non-FIPS mode only. Enabling FIPS mode requires an Administrator user to set the operating mode manually.

  Important! Do not switch to FIPS mode on any secondary CA User Activity Reporting Module server during subscription processing. This can cause subscription processing to fail.

• CA User Activity Reporting Module servers at r12.1 SP1 can communicate with r12.1 agents, but agent-level FIPS support is not available until you upgrade to r12.1 SP1.
• When you enable FIPS mode, only r12.1 SP1 FIPS-enabled agents and later can communicate with the CA User Activity Reporting Module server. When you enable non-FIPS mode, the CA User Activity Reporting Module server is fully backward compatible with older agents, but FIPS mode operation is not available. We recommend that you install only r12.1 SP1 agents after upgrading your CA User Activity Reporting Module servers to r12.1 SP1.
• Agents associated with a CA User Activity Reporting Module server automatically detect server mode changes and restart themselves in the corresponding mode.
• Adding a new CA User Activity Reporting Module server to an existing federation running in FIPS mode requires special handling.

Upgrading a Remote CA EEM Server

If you are using a stand-alone CA EEM server with your CA User Activity Reporting Module installation, upgrade it for FIPS support before upgrading any of your CA User Activity Reporting Module servers or agents. See the instructions in the CA EEM Getting Started guide for details and instructions.

Disable ODBC and JDBC Access to the Event Log Store

You can prevent ODBC and JDBC access to the events in the event log store using options in the ODBC Service configuration dialog. If you plan to run your federated network in FIPS mode, disable the ODBC and JDBC access to remain in compliance with federal standards.

To disable ODBC and JDBC access

1. Log in to the CA User Activity Reporting Module server and access the Administration tab.
2. Click the Services subtab and then expand the ODBC Service node.
3. Select the desired server.
4. Clear the Enable Service check box and then click Save.

   Note: Disable the ODBC option for each CA User Activity Reporting Module server in a federation to verify that ODBC and JDBC are disabled.

Enable FIPS Mode Operation

You can use the FIPS Mode options in the System Status service to turn FIPS mode on and off. The default FIPS mode is non-FIPS. Administrator users must set the FIPS mode for each CA User Activity Reporting Module server in a federation.

Important! You cannot operate with mixed modes within the same federation of servers. Any server in a federation running in a different mode is not able to gather query and report data, or respond to requests, from the other servers.

To switch between FIPS and non-FIPS modes

1. Log in to the CA User Activity Reporting Module server.
2. Access the Administration tab, and then click the Services subtab.
3. Expand the System Status service node and select the desired CA User Activity Reporting Module server.

   The System Status Service Configuration dialog appears.

4. Select the desired FIPS mode, On or Off, from the drop-down list.
5. Click Save.

   The CA User Activity Reporting Module server restarts in the selected mode. You can log in again to view agent FIPS mode from the Agent Explorer.

6. Verify the CA User Activity Reporting Module server operating mode by checking the System Status service dialog after the server restarts.

   You can also use self monitoring events to verify that the CA User Activity Reporting Module server started in the desired mode. Look for the following events in the Self Monitoring Events tab in the System Status dialog:

   Successfully turned Server FIPS mode ON
   Successfully turned Server FIPS mode OFF
   Failed to turn Server FIPS mode ON
   Failed to turn Server FIPS mode OFF
   

Disabling FIPS mode for the primary or Management server stops all federated queries and reports returning data. In addition, scheduled reports do not run. This condition continues until all servers in the federation are running in the same mode again.

Note: Disabling FIPS on the Management or remote CA EEM server is one of the requirements for adding a new CA User Activity Reporting Module server to a federation of server running in FIPS mode.

View Agent Dashboard

You can view the agent dashboard to view the status of agents in your environment. The dashboard also displays details such as the current FIPS mode (FIPS or non-FIPS), and usage details. These include events per second load, CPU percentage use, and most recent update date and time.

To view the agent dashboard

1. Click the Administration tab, and then the Log Collection subtab.

   The Log Collection folder list appears.

2. Select the Agent Explorer folder.

   Agent management buttons appear in the details pane.

3. Click Agent Status Monitor and Dashboard:

   The agent search panel appears, displaying status for all available agents in a details chart. For example:

   Total: 10 Running: 8 Pending: 1 Stopped: 1 Not Responding: 0
   

4. (Optional) Select agent search criteria to narrow the list of displayed agents. You can select any one or more of the following criteria:
   • Agent Group—returns only agents assigned to the selected group
   • Platform—returns only agents running on the selected platform
   • Status—returns only agents with the Status you select, Running, for example.
   • Agent name pattern—returns only agents containing the specified pattern.
5. Click Show Status.

   A list of agents meeting your search criteria appears, displaying information including:

   • Local connector name and version
   • Current CA User Activity Reporting Module server
   • Agent FIPS Mode (FIPS or non-FIPS)
   • Last recorded event per second load handled by the agent
   • Last recorded CPU usage value
   • Last recorded memory usage value
   • Most recent configuration update
   • Configuration update status