search cancel

FIPS-Only question in Policy Server with Password blob and User Store

book

Article ID: 134693

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

Reading the FIPS note, it mentions the Password Blob (1).

  "Important! Password Services locks out users whose Password Blobs are not re-encrypted when the Policy Server is operating in FIPS-only mode. A user cannot regain access until you have deleted the Password Blob and cleared any disabled flags. Deleting the Password Blob results in the loss of the user's password history."

Once FIPS-Only is set:

 

  • What happens to the user Password Blob, can the Policy Server still read it?
  • Does it require we wipe out the blobs?

Resolution

 

An SSO environment set as FIPS-Only can not directly communicate with FIPS–the compatibility environment. There has to be a middle step called FIPS–migration, due to different cryptographic libraries, as explained in the documentation (1).

The following comes from this section of the documentation (2):

Migrating your environment to use only FIPS-compliant algorithms is comprised of two stages.

  1.  Re-encrypt existing sensitive data—In stage one, you configure the environment to operate in FIPS–migration mode. FIPS–migration mode lets you transition an existing environment running in FIPS–compatibility mode to FIPS–only mode. In FIPS–migration mode, the environment continues to use existing CA Single Sign-On encryption algorithms as you re–encrypt existing sensitive data using FIPS-compliant algorithms.
  2. Configure FIPS–only mode—In stage two you configure your environment to operate in FIPS–only mode. In FIPS–only mode, the environment only uses FIPS–compliant algorithms to encrypt sensitive data.

 Important! An environment that is running in FIPS–only mode cannot interoperate with and is not backward compatible to versions of CA Single Sign-On before 12.x, including:
 
 - All agents
 - Custom software using older versions of the Agent API
 - Custom software using PM APIs or any other API that the Policy Server exposes

 Re-link all such software with the 12.x versions of the respective SDKs to achieve the required support for FIPS–only mode.

The content in this section describes how to migrate your environment to use only FIPS-compliant algorithms. Use the Table of Contents to access the content.

If existing FIPS–compatibility Policy Server is in use, and there's a need to utilize the FIPS-Only mode, then the documentation applies to that context.

   "Sensitive data stored in a policy store or policy and key stores is encrypted using algorithms that are not FIPS–compliant. Re-encrypt the keys and sensitive policy store data   before configuring the environment for FIPS-only mode." (3).

FIPS-only mode Policy Server will not be able to read FIPS–compatibility environment data nor the Policy Store key located in the EncryptionKey.txt file.

If not going through FIPS–migration mode, wipe out the Password Blobs and reset keys, etc.

 

Additional Information

 

(1)

    Configure FIPS-only Mode
    

(2)

    Migrate Your Environment to Use FIPS-Compliant Algorithms
    

(3)

    FIPS Migration Roadmap: Re-Encrypting Sensitive Data