RFI: CA SSO FIPS compatibility mode

book

Article ID: 142438

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're migrating the FIPS mode from COMPAT to MIGRATE and we'd like to
know :

  - Is there any impact in existing Policy/Key store ? 
  - What all things we need to consider prior changing the FIPS
    compatibility mode in an existing working setup ?
  - Do we need to perform belowre-encryptions?

    Re-encrypt Policy Store Key
    Re-encrypt Policy Store Administrator Password
    Host re-registration for all web agents
    Re-encrypt Policy and Key Store

 

Environment

Release : 12.8

Component : SITEMINDER -POLICY SERVER

Resolution

 

At first glance, according to documentation, to move to MIGRATE mode,
you need to read carefully the following documentation page. You
indeed needs to encrypt again all sensitive data.

  Re-Encrypt Existing Sensitive Data for FIPS Migration

    Re-encrypt a Policy Store Key
    Re-Encrypt the Policy Store Administrator Password
    Re-encrypt the Super User Password
    Set an Agent to FIPS-Migration Mode
    Re-encrypt Client Shared Secrets
    Re-encrypt Policy and Key Store Data
    Verify that Password Blobs are Re-encrypted

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/upgrading/migrate-your-environment-to-use-fips-compliant-algorithms/re-encrypt-existing-sensitive-data-for-fips-migration.html