WAMUI - FIPS mode enabled : false
Article ID: 112168
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
We completed the PS and WAMUI (and Agents) to FIPS-only mode.
* smps.log shows
"[CServer.cpp:4190][INFO][sm-Server-04450] Policy Server employing only FIPS-140 cryptographic algorithms."
* agent log shows
"FIPS 140 Cryptographic Mode is 'full-FIPS'."
* WAMUI server.log shows
WARN [ims.default] (MSC service thread 1-5) ** FIPS mode enabled : false" We also verified that we can login to WAMUI successfully and WA protects resources correctly.
Why does server.log show "** FIPS mode enabled : false" for AdminUI?
* smps.log shows
"[CServer.cpp:4190][INFO][sm-Server-04450] Policy Server employing only FIPS-140 cryptographic algorithms."
* agent log shows
"FIPS 140 Cryptographic Mode is 'full-FIPS'."
* WAMUI server.log shows
WARN [ims.default] (MSC service thread 1-5) ** FIPS mode enabled : false" We also verified that we can login to WAMUI successfully and WA protects resources correctly.
Why does server.log show "** FIPS mode enabled : false" for AdminUI?
FIPS Modes - Policy Server:
- COMPAT - Communications in Non-Fips Mode or FIPS Mode. New connections will be attempted in Non-FIPS Mode first. Encryption to Policy Store or User Store will be written with Non-FIPS Algorithms.
- Migrate - Communications in Non-Fips mode or FIPS Mode. New connections will be attempted in FIPS Mode first. Encryption to Policy Store or User Store will be written with FIPS Algorithms.
- FIPS Only - Communications will only be done with FIPS Algorithms. Encryption to Policy Store or User Store will be written with FIPS Algorithms.
FIPS Modes - Agent and AdminUI:
- Non-FIPS - Communications in Non-Fips Mode. Connections/encryption will only be attempted in Non-FIPS Mode.
- FIPS Only - Communications will only be done Fips Mode. Connections/encryption will only be attempted in FIPS Mode.
Environment
Release:
Component: SMPLC
Component: SMPLC
Resolution
WAMUI set MIGRATE mode to communicate with Policy Server on both FIPS& non-FIPS mode. By default, ra.xml shows FIPSMode as false unless Policy Server set FIPS Only mode and you want to set FIPS Only Mode.
You can check C:\Program Files\CA\siteminder\adminui\standalone\data\siteminder\*.conf file for detail. We found useful community article discussed about FIPS mode which might help you with more detail.
To enforce WAMUI from Migrate mode to FIPS-Only mode, set below property to true.
C:\Program Files\CA\siteminder\adminui\standalone\deployments\iam_siteminder.ear\policyserver.rar\META-INF\ra.xml
<config-property>
<config-property-name>FIPSMode</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value>true</config-property-value>
</config-property>
After restart service, the changed message can be found from server.log.
server.log will show FIPS mode enabled : true.
You can check C:\Program Files\CA\siteminder\adminui\standalone\data\siteminder\*.conf file for detail. We found useful community article discussed about FIPS mode which might help you with more detail.
To enforce WAMUI from Migrate mode to FIPS-Only mode, set below property to true.
C:\Program Files\CA\siteminder\adminui\standalone\deployments\iam_siteminder.ear\policyserver.rar\META-INF\ra.xml
<config-property>
<config-property-name>FIPSMode</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value>true</config-property-value>
</config-property>
After restart service, the changed message can be found from server.log.
server.log will show FIPS mode enabled : true.
Attachments
Feedback
Yes
No
Powered by
