Problems disabling FIPS on A2A clients
search cancel

Problems disabling FIPS on A2A clients

book

Article ID: 238877

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The A2A Example.java source includes the following comment:

 * Notes:
 * FIPS mode is enabled by default between the client application and the client daemon.
 * It can be disabled by either:
 * 1. Adding the line '<enablefips>false</enablefips>' to $CSPM_CLIENT_HOME/cspmclient/config/cspm_client_config.xml
 * 2. Specifying the daemon's port# and 'noFips' arguments to invoke the CSPMClient(port#, false) constructor

But performing step 1 and restarting the A2A client (removing the client cache) appears to break the client. The calls into the client fail with a 445 error, and the client log has errors, like:

INFO: Fri March 04 23:58:50.135 UTC 2022 KeyService::doLocalLogin. Local login not succeeded

Environment

Release : 3.4-4.0.2

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

The <enablefips> option no longer is supported in current PAM releases. This functionality was removed several years ago, but it was missed to update the Java sample code accordingly.

Resolution

Do not try to use this obsolete option. The references to <enablefips> are being removed from Example.java and should not be found in PAM A2A versions released after March 2022, starting with 4.1 and 4.0.3.