search cancel

CA Process Automation impact when disabling EEM FIPS

book

Article ID: 240300

calendar_today

Updated On:

Products

CA Process Automation Base

Issue/Introduction

We are looking to disable FIPS (from on to off) mode in EEM. However, before we do this, we would like to know what impact this will have on CA Process Automation. Does anything need to be reconfigured in CA Process Automation when FIPS is disabled in the EEM used by CA Process Automation?

 

Environment

Release : 4.3

Component : Process Automation

Resolution

As it relates to ITPAM (Client) and EEM (Server), FIPS connections comes down to what kind of SSL connection will be negotiated between the Client and Server (SSL/TLS version, ciphers/algorithms). Once ITPAM is configured to use FIPS while connecting to EEM, it establishes SSL settings to use for the connection that are considered more secure than non FIPS (for example: stronger algorithms). 

The SSL settings can still be used even after changing EEM from FIPS on to FIPS off. As long as the configuration, on the EEM Server side, are not changed in a way that interrupts clients trying to connect using those settings then it is no problem. 

So, technically, after changing EEM from FIPS yes to FIPS no you can:

  • Opt to leave ITPAM alone as long as you're not changing any of the SSL connection settings used by the SDK (which is separate from the 5250 settings we changed to use custom certificates when browsing the UI). 
  • Reconfigure ITPAM to not use FIPS when connecting to EEM. Running the ITPAM installation is necessary to reconfigure it. For EEM settings you need to tell the ITPAM installation to "Reinstall". Then, when it gets to the EEM Security Settings screen:
    • Deselect the "Use FIPS-Compliant Certificate
    • Provide an EEM Certificate Password
    • Select/Check the "Register Application with CA EEM" option.
    • Provide the eiamadmin user/pass info.
    • When prompted to upgrade, select Yes. It will likely return saying "Upgrade not required".
    • Then click the "Test EEM Settings" to make sure you can connect with your pamadmin user/pass.