CA Process Automation impact when disabling EEM FIPS
search cancel

CA Process Automation impact when disabling EEM FIPS


Article ID: 240300


Updated On:


CA Process Automation Base


We are looking to disable FIPS (from on to off) mode in EEM. However, before we do this, we would like to know what impact this will have on CA Process Automation. Does anything need to be reconfigured in CA Process Automation when FIPS is disabled in the EEM used by CA Process Automation?



Release : 4.3

Component : Process Automation


As it relates to ITPAM (Client) and EEM (Server), FIPS connections comes down to what kind of SSL connection will be negotiated between the Client and Server (SSL/TLS version, ciphers/algorithms). Once ITPAM is configured to use FIPS while connecting to EEM, it establishes SSL settings to use for the connection that are considered more secure than non FIPS (for example: stronger algorithms). 

The SSL settings can still be used even after changing EEM from FIPS on to FIPS off. As long as the configuration, on the EEM Server side, are not changed in a way that interrupts clients trying to connect using those settings then it is no problem. 

So, technically, after changing EEM from FIPS yes to FIPS no you can:

  • Opt to leave ITPAM alone as long as you're not changing any of the SSL connection settings used by the SDK (which is separate from the 5250 settings we changed to use custom certificates when browsing the UI). 
  • Reconfigure ITPAM to not use FIPS when connecting to EEM. Running the ITPAM installation is necessary to reconfigure it. For EEM settings you need to tell the ITPAM installation to "Reinstall". Then, when it gets to the EEM Security Settings screen:
    • Deselect the "Use FIPS-Compliant Certificate
    • Provide an EEM Certificate Password
    • Select/Check the "Register Application with CA EEM" option.
    • Provide the eiamadmin user/pass info.
    • When prompted to upgrade, select Yes. It will likely return saying "Upgrade not required".
    • Then click the "Test EEM Settings" to make sure you can connect with your pamadmin user/pass.