What is FIPS mode for Privileged Access Management (PAM), How can I tell if using FIPS?
search cancel

What is FIPS mode for Privileged Access Management (PAM), How can I tell if using FIPS?

book

Article ID: 202637

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

FIPS is the Federal Information Processing Standards (FIPS). It is the U.S. government computer security standards that specify requirements for cryptography modules.

http://en.wikipedia.org/wiki/Federal_Information_Processing_Standard


Resolution

CA Process Automation (CA PAM) now offers FIPS mode during the installation. With FIPS selected you will be in FIPS compliance.

An optional feature of PAM is FIPS mode.  With PAM's FIPS mode enabled the Cryptographic Provider is CA Technologies C-Security Kernel, which is FIPS 140-2 validated (CMVP certificate #3043).  Your PAM instance must be deployed with FIPS mode.  This means that you must use a FIPS capable AMI or ova, to deploy in those environments.  You will have to download the FIPS capable ova from the support portal or have a FIPS capable AMI assigned to your AWS account in the desired region.  A physical appliance must be shipped with a FIPS capable image burned on its primary SSD.

You can tell if PAM is FIPS capable by going to the Config --> Power page.  On a non-FIPS instance, you will see only 2 buttons on this page, Start Instance and Reboot Instance.  On a FIPS instance, you will see the third button.  It will change from Activate FIPS Mode to Deactivate FIPS Mode, depending on if FIPS is enabled or not.

If you need FIPS and your instance is not FIPS capable you will have to redeploy your PAM instance with the correct ova or AMI or get a FIPS capable appliance, possibly via RMA.  This also means you must have purchased FIPS.

Additional Information

In the PAM Client >> Top right hand corner if you click on "System Info" >> under the "Basic Info" tab you will see:

which will advise if it is currently being used.