How To Verify that FIPS 140-2 is Enabled on Symantec Encryption Desktop Managed Clients

book

Article ID: 181404

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

 

Resolution

Symantec Encryption Management Server Admins need to understand how to tell if FIPS 140-2 is enabled by policy on their managed Symantec Encryption Desktop clients.

To activate FIPS 140-2 checks you will login to the Symantec Encryption Management Server and select Activate FIPS 140-2 operational and integrity checks.  This is located on the General tab of the Consumer Policy.  

Once you make this selection, save the policy.

 

When a Windows client recieves the policy update and upon the next reboot and each subsequent reboot, the client will perform these checks and report in the PGPlog.dat file its status.

This log is located in the C:\Users\USER\AppData\Roaming\PGP Corporation\PGP\ folder in the users profile.

Open the PGPlog.dat and search for fips.  You will see one of two statuses.

On enabled clients you will see: fips-event T check 1

On disabled clients you will see: fips-event T check 0

A new entry with timestamp will occur at every boot.  If your Encryption client updates policy after boot, this file will zero out, as the log data is passed to the Management Server. 

 

To see the log data on the Encryption Management Server, login to the SEMS and go to Reporting and choose the Client Log and search for FIPS.  Change the display to Verbose to get all Client FIPS data.

 

To verify FIPS is enabled on a Mac client just open the Encryption Desktop.  Under Encryption Desktop in the top menu select Preferences then select Advanced.  On the Advanced screen you will see FIPS and whether or not it is Activated.  On a managed client the box will be checked and the option grayed out.

 

If the FIPS Integrity Check fails at startup, a PGP Alert will be presented to the user notifying FIPS 140-2 integrity check failed (err=xxxxx) and will be logged in the client logs.  The PGP Alert is cleared by the user by selecting OK.

On the Encryption Management Server the error will resemble: "FIPS Event [time Tue 05 Mar 2013  04:50:05 PM PST] FIPS integrity checks enabled: failed" 

The client will continue on and work normally until a reboot.  If the FIPS condition is not troubleshot and rectified the user will continue to be bothered by the PGP Alert until the Administrator resolves the issue.

For information on FIPS validation and Symantec Encryption Management Server, see article HOWTO101701.

Attachments

pgp alert.jpg get_app
Mac FIPS.JPG get_app