Enabling FIPS 140

FIPS 140 mode is disabled after installation of any product. You can enable FIPS 140 on a clean installation or on an upgrade, and before the broker is started.
Installation of any Domain Manager product.
  1. Back up the
    imk.dat, brokerConnect.conf, serverConnect.conf,
    and
    clientConnect.conf
    files from the existing installation.
    These files are located in the
    <BASEDIR>/smarts/local/conf
    directory.
    The backup is necessary in case you need to disable FIPS 140 mode and remove FIPS 140-2 encryption.
  2. Run the following command at the command line prompt:
    sm_rebond --upgrade --basedir=/opt/InCharge/<product>/smarts
    The path must be set to the default install path.
    Invoke the
    sm_rebond
    command from the BASEDIR where the software is installed and not from any other product installation area which may have the
    sm_rebond
    utility, regardless of the FIPS 140 state.
  3. When prompted, type
    Not a secret
    as the password phrase password to regenerate the
    imk.dat
    file.
  4. Download and install the Java 8 Unlimited Strength Jurisdiction Policy JAR files. These JAR files are required for the FIPS 140 mode for the console, web server, and anything else using Java. The policy files used with earlier releases will not work.
    Manual download of Java 8 Unlimited Strength Jurisdiction Policy JAR files
    local_policy.jar
    and
    US_export_policy.jar
    is not required for anything in the 9.4.x release including the FIPS 140 mode for the console or web server. This manual step is needed only for deployments that use NAS discovery in IP domain manager. For more details refer to NAS chapter in the installation guide. The policy files used with earlier releases will not work.
  5. Set
    SM_FIPS140=TRUE
    in the
    runcmd_env.sh
    file located in the
    <BASEDIR>/smarts/local/conf
    directory.
    If you install the server as a service on Linux platforms, the services will start automatically after you issue the
    sm_rebond
    command. First stop the services, modify
    SM_FIPS140=TRUE
    in the
    runcmd_env.sh
    file, and then manually start the services.
  6. After you enable FIPS 140 mode, start the
    Broker
    , and then the server.
    The following message may appear in the server log:
    "CI-W-NOCGSS-No certificate loaded for <Domain Managers product>, generating self-signed certificate".
    Since FIPS 140 requires secure communication which can be achieved by SSL, a certificate is required. If a certificate is not available, the <Domain Managers product> generates a self-signed certificate.