We are working to switch all our 100's of agents from COMPAT to MIGRATE mode, so that we can get to FIPS-ONLY mode.  This of course requires every agent to re-register.

Is there a way to determine a Trusted Host's mode from either in the policy server (store), or the policy server logs (or trace logs), or can it only be determined by looking at the SmHost.conf or the agent logs startup portion?

Release : 12.8x

Component : SITEMINDER -POLICY SERVER

This cannot be determined with certainty from the policy server side.  There is no direct way to view the FIPS mode of any trusted host.  You can examine the Shared Secret values for the trusted hosts in the policy store.  FIPS encrypted shared secrets will begin with {AES} while non-FIPS Shared Secret values begin with no brackets preceding the value.  You can assume if the Shared Secret is in FIPS, the Trusted Host is operating in either FIPS-Migrate mode or FIPS mode.

Also note that re-registration is not required to change FIPS mode of a Trusted Host, although re-registration is a valid method to do so.  The Trusted Host can switch FIPS mode by updating the fipsmode parameter in SmHost.conf and performing a Shared Secret rollover from the Policy Server.