Configuring a CA Workload Automation AE Instance › Enable FIPS Mode for a Server or Client Installation

Enable FIPS Mode for a Server or Client Installation

CA Workload Automation AE uses FIPS-approved and non-FIPS approved security algorithms unless you enable FIPS mode. When CA Workload Automation AE operates in FIPS mode, the system only uses security algorithms that comply with the standards in the FIPS 140-2 publication.

Notes:

• This procedure applies primarily to U.S. government agencies required to comply with FIPS guidelines.
• This procedure applies only to server or client installations.
• This procedure enables FIPS mode for a particular CA Workload Automation AE instance and the common components that are associated with that instance (the CA iTechnology iGateway service, the CA EEM server, and the CA Secure Sockets Adapter (SSA) Broker). Running all CA Workload Automation AE instances, CA common components, and other CA Technologies products that are installed on your system in FIPS mode ensures that your system is fully compliant with the guidelines in the FIPS 140-2 publication.
• The Windows Service Control Manager displays the name of the CA SSA Broker service as "CA Connection Broker".

Follow these steps:

1. Click Start, Programs, CA, Workload Automation AE, Administrator.

   The Instance - CA Workload Automation AE Administrator window opens.

2. Select the instance that you want to enable FIPS mode for from the instance drop down list in the Settings pane.
3. Click the Services icon on the toolbar.

   The Services - CA Workload Automation AE Administrator window appears, displaying a list of services that are installed on the selected instance.

4. Right-click the scheduler and select Stop. Repeat this action for the application server and agent.

   The scheduler, application server, and the agent stop.

5. Open the Windows Service Control Manager and stop the following services:
   • CA Connection Broker
   • CA-Unicenter
   • CA-Unicenter (NR-Server)
   • CA-Unicenter (Remote)
   • CA-Unicenter (Transport)

   The CA SSA Broker, Event Management, and CAICCI services stop.

   Important! Event Management and CAICCI do not comply with the FIPS 140-2 guidelines. If you restart these services, your system will not comply with the FIPS 140-2 guidelines even if all other CA Technologies products, CA common components, and CA Workload Automation AE instances are running in FIPS mode.

6. Perform the following tasks on CA Workload Automation AE and on the CA EEM server:
   1. Open the Windows Service Control Manager and stop the following services:
      • CA iTechnology iGateway
      • CA Directory iTechPoz

      The CA iTechnology iGateway and CA Directory iTechPoz services stop. All active common components are stopped.

   2. Edit the following parameter in the iTechnology iGateway configuration file:

      <FIPSMode>on</FIPSMode>
      

      Notes:

      • To disable FIPS mode, reset the value of this parameter to default:

        <FIPSMode>off</FIPSMode>
        

      • The CA iTechnology iGateway configuration file is named %IGW_LOC%\igateway.conf.
   3. Open the Windows Service Control Manager and start the following services:
      • CA iTechnology iGateway
      • CA Directory iTechPoz

      The CA iTechnology iGateway and CA Directory iTechPoz services start.

   The CA EEM server runs in FIPS mode.

   Note: Stop and start the CA Directory iTechPoz service only on the CA EEM server as it is applicable only to CA EEM.

7. Click Start, Programs, CA, Workload Automation AE, Administrator.

   The Instance - CA Workload Automation AE Administrator window opens.

8. Click the Instance Wide Encryption tab, select the Use AES 128-bit encryption check box, and select the appropriate encryption option.
9. Click the zOS Encryption tab, select the Use AES 128-bit encryption when communicating with zOS managers check box, and enter the encryption key.
10. Click the FIPS Mode tab, select the Enable FIPS Mode check box, and click Apply.
11. Open the file specified by the oscomponent.environment.variable parameter in the agentparm.txt file and append the following environment variable and value to the file name:

    CA_FIPS1402_ENABLE=1
    

    Note: To disable FIPS mode, reset the value of this parameter to default:

    CA_FIPS1402_ENABLE=0
    

    You define the file specified by the oscomponent.environment.variable parameter when you install CA Workload Automation AE. For more information about the oscomponent.environment.variable parameter, see the CA Workload Automation Agent for UNIX, Linux, or Windows Implementation Guide.

12. Click the Services icon on the toolbar.

    The Services - CA Workload Automation AE window appears, displaying a list of services that are installed on the selected instance.

13. Right-click the scheduler and select Start. Repeat this action for the application server and agent.

    The scheduler, application server, and the agent start. The scheduler automatically restarts the CA SSA Broker in FIPS mode. The CA Workload Automation AE instance runs in FIPS mode.