FIPS Compliance

This article covers the following information about FIPS Compliance:
capamsc141
This article covers the following information about FIPS Compliance:
FIPS Operational Modes
Privileged Access Manager Server Control
 supports two FIPS operational modes:
  • FIPS-only Mode
    :
    • Privileged Access Manager Server Control
      uses only those cryptographic functions that are FIPS 140-2 compliant. This means that some 
      Privileged Access Manager Server Control
      features are disabled in FIPS-only mode. 
    • FIPS Encryption Libraries
      :
      Privileged Access Manager Server Control
       uses the CAPKI 5.2.0 (UNIX) and CAPKI 5.2.1 (Windows) encryption library. On UNIX systems,
      Privileged Access Manager Server Control
       uses the OS encryption library for password encryption (crypt method).
    • FIPS Algorithms Used
      Privileged Access Manager Server Control
       components use the following cryptographic algorithms. Different components use different algorithms.
      • SSL (TLS 1.0, 1.1 and 1.2) - Client/server communication
      • AES in CBC mode - Encryption of the PMD update file (Windows), bidirectional password history (Windows)
      • SHA-2 - Unidirectional password encryption (Windows), Trusted Programs, policy signatures (advanced policy management)
  • Regular (Non-FIPS) Mode
    :
    • Privileged Access Manager Server Control
      uses both FIPS 140-2 cryptographic functions and non-FIPS compliant functions. 
    • FIPS Encryption Libraries: 
      Privileged Access Manager Server Control
       uses the CAPKI 5.2.0 (UNIX) and CAPKI 5.2.1 (Windows) encryption library in addition to the non-FIPS encryption libraries.
    • FIPS Algorithms Used
      Privileged Access Manager Server Control
       components use the following cryptographic algorithms. Different components use different algorithms.
      • SSL (SSL V2, SSL V3, TLS 1.0, TLS 1.1, and TLS 1.2) - Client/server communication
      • SHA-1 (from CAPKI) - Used for signatures of trusted programs, signatures of policies
      • AES (from CAPKI) - Used for password validation when working with bidirectional password history
 To switch between FIPS-only mode and Regular mode, configure the 
fips_only
 entry in the registry - Crypto.
Storage of Keys and Certificates
Privileged Access Manager Server Control
 stores keys and certificates as follows.
  • Symmetric keys are stored in
    Privileged Access Manager Server Control
    .
  • Certificates (subject certificate, private key, and root certificate) are stored on the file system and protected by 
    Privileged Access Manager Server Control
    .
    Privileged Access Manager Server Control
    encrypts the private key using AES symmetric encryption (from the CAPKI libraries) using 
    Privileged Access Manager Server Control
    symmetric key.
Features Affected (UNIX)
The FIPS operational mode can affect the following 
Privileged Access Manager Server Control
 UNIX features:
Feature
Regular (Non-FIPS) Mode
FIPS-Only Mode
PMD update file encryption
Default symmetric key encryption (two-way)
Disabled
Trusted Programs
CAPKI SHA-1 and MD5
CAPKI SHA-2 only
Bidirectional password encryption
Default symmetric key encryption
Disabled
Unidirectional password encryption
Operating system crypt/bigcrypt method
Operating system crypt/bigcrypt method
PMD TNG command
Default symmetric key encryption
Disabled
Privileged Access Manager Server Control
 TNG daemon
Default symmetric key encryption
Disabled
LDAP password encryption usage (sebuildla -u -n)
Default symmetric key encryption
Disabled
LDAP password encryption generation
(seldapcred)
Default symmetric key encryption
Disabled
TCP communication
Default symmetric key encryption (two-way) or CAPKI sockets over SSL V2, SSL V3, or TLS 1.0
CAPKI sockets over TLS 1.2
seversion utility
CAPKI SHA-1
CAPKI SHA-2
Trusted Programs (watchdog and seretrust)
CAPKI SHA-1
CAPKI SHA-2
Advanced policy management policy distribution
CAPKI SHA-1 signature, and for backwards compatibility, 
Privileged Access Manager Server Control
internal SHA-1 signature
CAPKI SHA-2 signature only
selogrd encryption
Default symmetric key encryption and MD5
Disabled
sechkey key change
Default symmetric key encryption
Disabled
iRecorder log file signature
MD5 encryption
Disabled
Report Agent
Enabled
Disabled
DMS
Enabled
UNAB endpoints management disabled
Features Affected (Windows)
The FIPS operational mode can affect the following 
Privileged Access Manager Server Control
 Windows features: 
Feature
Regular (Non-FIPS) Mode
FIPS-Only Mode
PMD update file encryption
Default symmetric key encryption (two-way)
CAPKI AES symmetric key encryption
Password history (non-bidirectional)
Saved as CAPKI SHA-1.
Password validation with CAPKI SHA-1 and fall through to crypt
Saved as CAPKI SHA-2.
Password validation with CAPKI SHA-2 only
Password history (bidirectional)
Default symmetric key encryption.
Password validation with default symmetric key encryption
CAPKI AES symmetric key encryption.
Password validation with CAPKI AES only.
sechkey key change, password history
Default symmetric key encryption to decrypt and encrypt password history
CAPKI AES symmetric key encryption to decrypt and encrypt password history
sechkey key change, policy model
Default symmetric key encryption to decrypt and encrypt policy model update files
CAPKI AES symmetric key encryption to decrypt and encrypt policy model update files
Trusted Programs
CAPKI SHA-1 and MD5
CAPKI SHA-2 only
Mainframe password synchronization
Enabled
Disabled
iRecorder
Enabled
Disabled
TNG integration
Enabled
Disabled
Advanced policy management policy distribution
CAPKI SHA-1 signature, and for backwards compatibility, 
Privileged Access Manager Server Control
internal SHA-1 signature
CAPKI SHA-2 signature only
Report Agent
Enabled
Disabled
DMS
Enabled
UNAB endpoint management disabled
FIPS Compliance Considerations
Consider the following points: 
  • When moving from non-FIPS to FIPS, the policy model 
    cannot
     read old commands.
  • When moving from FIPS to non-FIPS, the policy model 
    can
     read old commands.
  • For non-bidirectional password history, there is impact when the crypt in FIPS mode is used. Crypt is only for backwards compatibility.
  • For bidirectional password history, moving from non-FIPS to FIPS, 
    Privileged Access Manager Server Control
     cannot decrypt old passwords.
  • Where a feature is disabled as a result of the FIPS operational mode, and a non-interactive process occurs, the relevant program does
    one of the following actions
    :
    • Prints an error message and exits
    • Writes the error message to the system log
    For example: Report Agent