search cancel

Problems disabling FIPS on A2A clients

book

Article ID: 238877

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The A2A Example.java source includes the following comment:

 * Notes:
 * FIPS mode is enabled by default between the client application and the client daemon.
 * It can be disabled by either:
 * 1. Adding the line '<enablefips>false</enablefips>' to $CSPM_CLIENT_HOME/cspmclient/config/cspm_client_config.xml
 * 2. Specifying the daemon's port# and 'noFips' arguments to invoke the CSPMClient(port#, false) constructor

But performing step 1 and restarting the A2A client (removing the client cache) appears to break the client. The calls into the client fail with a 445 error, and the client log has errors, like:

INFO: Fri March 04 23:58:50.135 UTC 2022 KeyService::doLocalLogin. Local login not succeeded

Cause

The <enablefips> option no longer is supported in current PAM releases. This functionality was removed several years ago, but it was missed to update the Java sample code accordingly.

Environment

Release : 3.4-4.0.2

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Do not try to use this obsolete option. The references to <enablefips> are being removed from Example.java and should not be found in PAM A2A versions released after March 2022, starting with 4.1 and 4.0.3.