Domain is not allowed to be linked to Enterprise because of incompatible FIPS modes [CMG000053]

Document ID : KB000099173
Last Modified Date : 31/05/2018
Show Technical Document Details
Issue:
When adding an ITCM Domain Manager to an Enterprise Manager, you receive the following error:
Domain is not allowed to be linked to Enterprise because of incompatible FIPS modes [CMG000053]
Environment:
Client Automation (ITCM) -- any version
Cause:
There are two FIPS operating modes for ITCM:
- FIPS-preferred (out of the box default)
- FIPS-only


The error message is indicating one of the ITCM managers is running FIPS-preferred, while the other is FIPS-only, hence this needs to be rectified before linking the DM to the EM.
Resolution:
You need to verify the FIPS settings on both the Enterprise and Domain Manager, Default Configuration Policy:

DSM Explorer --> Control Panel --> Configuration --> Configuration Policy --> Default Computer Policy --> DSM --> Common Components --> Security --> FIPS 140 Settings
User-added image

Both managers must have matching settings.

If you are unsure, unseal the policy and apply the default, out of the box settings:
Change actionSwitch FIPS mode on next restart of ITCM
FIPS 140 SettingFIPS 140 approved security functions are preferred

Important Note:
Once the Default Computer Policy is resealed, you will need to wait for the policy to apply to all registered agents, including the agent representing the Domain Manager (or Enterprise).  Only after the Manager's configuration policy is updated/refreshed with the changes, will you be able to recycle CAF, and repeat the process to link the managers.