Key Sizes when Policy Server is in "FIPS compatibility mode" and in "FIPS migration mode"
FIPS Migration mode , AES key size is 128 bits. FIPS Compatibility mode , RC2 key size is 128 bits.
Policy Servers uses lots of keys.
FIPS COMPAT MODE: COMPONENT : Algorithm : KEY Size : Policy Store and Key Store Keys : RC2 : 128 Agent Key: RC2 with an HMAC-SHA1 digest : 128 Session Ticket Key : RC2 with an HMAC-SHA1 digest: 128
FIPS ONLY MODE:
Policy Store and Key Store Keys : AES : 128 Agent Key: AES with an HMAC-SHA256 digest : 128 Session Ticket Key : AES with an HMAC-SHA256 digest: 128
Roll Over : Agent Key and Shared Secret rollover will superficially appear unchanged. When the Policy Server is in either FIPS-migration or FIPS-only mode, it will employ the AES and SHA-256 algorithms to encrypt the keys/secrets instead of RC2, MD5, and SHA-1.
How are the Agent and Session Ticket Keys secured during smobjexport?
The specific encryption, hashing, and MAC algorithms required for FIPS-only mode operation are different than the classic SiteMinder cryptographic algorithms, but the overall structure of the cryptographic protocols will be preserved.
For FIPS COMPAT mode, Sensitive data like agent and session ticket keys are encrypted in algorithm in RC2 CBC; For FIPS ONLY mode, Sensitive data like agent and session ticket keys are encrypted algorithm in AES KEYWRAP;
How is the integrity of the exported Keys checked ?
All Sensitive data that is exported using smobjexport will be decrypted and encrypted using Encryption key seed present in Encryptionkey.txt. Every time data is exported, smobjexport tool performs a decrypt of sensitive data and encrypt the data. That is the reason why every export of sensitive data is different.
You cannot manually modify encrypted sensitive data and import it. If someone wants to use different password, then you need to export data using -c option, which exports the data in clear text. After manually changing the Secret Tag field, which contains sensitive data in clear text. You could re-import the exported the data using same '-c' option.