Administration Guide › Administrating CA SiteMinder® SPS › Configure CA SiteMinder® SPS to Use FIPS

Configure CA SiteMinder® SPS to Use FIPS

CA SiteMinder® SPS supports the requirements for cryptographic modules specified in the FIPS 140-2 standard. When you install CA SiteMinder® SPS, a dialog appears that prompts you to select the level of FIPS support your operating configuration requires. If you are upgrading an existing CA SiteMinder® SPS installation, CA SiteMinder® SPS continues to work as before, that is, in COMPAT mode. You can change the mode manually using the smreghost command, as described in subsequent sections. Be sure to restart the system after a mode change so that the Web Agent, CA SiteMinder® SPS server, and the Apache server pick up the changes.

During a new installation you can select one of these three FIPS modes:

• COMPAT — Specifies that the installation is not FIPS-compliant. Select this mode when interacting with clients running earlier versions of CA SiteMinder® SPS.
• MIGRATE — Specifies that CA SiteMinder® SPS operates both with FIPS-compliant algorithms and algorithms used in earlier version of CA SiteMinder® SPS simultaneously while the data is migrated.
• ONLY — Specifies that only FIPS-compliant algorithms are used and accepted by CA SiteMinder® SPS. When you install in this mode, additional manual configuration is required.

The FIPS mode you select during installation usually is the same as the FIPS mode configured on the Policy Server.When the Policy Server is in Migrate mode, it can operate with CA SiteMinder® SPS in any mode.

Migration to FIPS MIGRATE Mode

If you are upgrading from an earlier version and want to use FIPS-compliant algorithms, you can change the Web Agent inside CA SiteMinder® SPS from COMPAT mode to MIGRATE mode.

To set CA SiteMinder® SPS to FIPS MIGRATE mode

1. Stop the CA SiteMinder® SPS services.
2. Open a command-line window.
3. Enter the following command:

   smreghost -i policy_server_ip_address -u administrator_user_name -p administrator_password -hn hostname_for_registration -hc host_config_object -f path_to_host_config_file -o -cf MIGRATE
   

   Example:

   smreghost -i localhost -u siteminder -p firewall -hn helloworld -hc host  -f "C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf" -o -cf  MIGRATE
   

4. Restart the machine.(Windows only)
5. Restart the CA SiteMinder® SPS services.

The Web Agent inside CA SiteMinder® SPS is changed from FIPS COMPAT to FIPS MIGRATE mode.

Configuration Process for FIPS ONLY Mode

After you install CA SiteMinder® SPS in FIPS ONLY mode, the following additional configuration steps are required:

• Verify that CA SiteMinder® SPS is running in full SSL mode.
• Verify that the server key used to configure CA SiteMinder® SPS in SSL mode was generated using a FIPS-compliant cryptographic algorithm.
• Follow the procedure for configuring SSL in FIPS ONLY mode.

Migration to FIPS ONLY Mode

If the SiteMinder Policy Server is in FIPS ONLY or FIPS COMPAT mode, you can change the FIPS mode of CA SiteMinder® SPS from FIPS COMPAT to FIPS ONLY after you upgrade.

Follow these steps:

1. Stop the CA SiteMinder® SPS services.
2. Set the value of the OPENSSL_FIPS environment variable to 1.
3. Perform one of the following steps:
   1. If you are changing the FIPS mode on Windows, set the CA_SM_PS_FIPS140 environment variable to ONLY.
   2. If you are changing the FIPS mode on UNIX, perform the following steps:
      1. Open the proxyserver.sh file.

         Default Path: sps-home/proxy-engine/proxyserver.sh

      2. Set the value of the CA_SM_PS_FIPS140 environment variable to ONLY.
4. Execute the following command from the command prompt:

   smreghost -i policy_server_ip_address -u administrator_user_name -p administrator_password -hn hostname_for_registration -hc host_config_object -f path_to_host_config_file -o -cf ONLY
   

   Example:

   smreghost -i localhost -u siteminder -p firewall -hn helloworld -hc host  -f "C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf" -o -cf  ONLY
   

5. Determine whether CA SiteMinder® SPS is running in full SSL mode. If SSL is already enabled on Apache inside CA SiteMinder® SPS, SSL must be disabled and reconfigured for FIPS ONLY mode.
6. Open the httpd-ssl.conf file.

   Default Path: sps_home\httpd\conf\extra\httpd-ssl.conf

7. Set the value of the SSLPassPhraseDialog variable to custom.
8. Uncomment the following line:

   SSLCustomPropertiesFile "<sps_home>/Tomcat/properties/spsssl.properties"
   

9. Set the value of the SSLCustomPropertiesFile variable to <sps_home>\httpd\conf\spsapachessl.properties.
10. Set the value of the SSLSpsFipsMode variable to ONLY.
11. Restart the computer.
12. Start the CA SiteMinder® SPS services.