Using FIPS-Compliant Algorithms

The Policy Server uses certified Federal Information Processing Standard (FIPS) 140–2 compliant cryptographic libraries. FIPS is a US government computer security standard that is used to accredit cryptographic modules that meet the Advanced Encryption Standard (AES). These libraries provide a FIPS mode of operation when a  environment only uses FIPS–compliant algorithms to encrypt sensitive data. A  environment can operate in one of the following FIPS modes of operation:
sm1252sp1
The Policy Server uses certified Federal Information Processing Standard (FIPS) 140–2 compliant cryptographic libraries. FIPS is a US government computer security standard that is used to accredit cryptographic modules that meet the Advanced Encryption Standard (AES). These libraries provide a FIPS mode of operation when a 
CA Single Sign-On
 environment only uses FIPS–compliant algorithms to encrypt sensitive data. A 
CA Single Sign-On
 environment can operate in one of the following FIPS modes of operation:
  • FIPS–compatibility
  • FIPS–migration
  • FIPS–only
By default, an environment that is upgraded to 12.52 SP1 is operating in FIPS–compatibility mode. In FIPS–compatibility mode, the environment uses algorithms existing in previous versions of 
CA Single Sign-On
 to encrypt sensitive data and is compatible with previous versions 
CA Single Sign-On
. If your organization does not require the use of FIPS–compliant algorithms, the environment can operate in FIPS–compatibility mode without further configuration.
Migrating your environment to use only FIPS–compliant algorithms is comprised of two stages.
  1. Re-encrypt existing sensitive data
    —In stage one, you configure the environment to operate in FIPS–migration mode. FIPS–migration mode lets you transition an existing environment running in FIPS–compatibility mode to FIPS–only mode. In FIPS–migration mode, the environment continues to use existing 
    CA Single Sign-On
     encryption algorithms as you re–encrypt existing sensitive data using FIPS-compliant algorithms.
  2. Configure FIPS–only mode
    —In stage two you configure your environment to operate in FIPS–only mode. In FIPS–only mode, the environment only uses FIPS–compliant algorithms to encrypt sensitive data.
    An environment that is running in FIPS–only mode cannot interoperate with and is not backward compatible to versions of
    CA Single Sign-On
    before 12.x, including:
    • All agents
    • Custom software using older versions of the Agent API
    • Custom software using PM APIs or any other API that the Policy Server exposes
    Re-link all such software with the 12.x versions of the respective SDKs to achieve the required support for FIPS–only mode.
FIPS 140-2 Migration Requirements
Ensure that your environment meets the minimum requirements before migrating the environment to only use FIPS-compliant algorithms. You may want to print the following to use as a checklist:
  • Ensure that your entire 
    CA Single Sign-On
     environment, including the SDK, is upgraded.
  • If the environment contains custom agents, ensure that they are re-linked to the respective SDK.
  • Ensure that at least one Policy Server in the environment is configured to enable Agent key generation.
  • If the environment uses X.509 Client Certificate authentication schemes, ensure that the user certificates are generated using only FIPS-compliant algorithms.
  • If the Policy Servers are to connect to policy stores and/or user stores via SSL, ensure that the certificates used by the Policy Servers and the directory stores for the connection are FIPS-compliant.
This section contains the following topics: