WAMUI - FIPS mode enabled : false

Document ID : KB000112168
Last Modified Date : 30/08/2018
Show Technical Document Details
Introduction:
We completed the PS and WAMUI (and Agents) to FIPS-only mode.

* smps.log shows
"[CServer.cpp:4190][INFO][sm-Server-04450] Policy Server employing only FIPS-140 cryptographic algorithms."
* agent log shows
"FIPS 140 Cryptographic Mode is 'full-FIPS'."
* WAMUI server.log shows
WARN [ims.default] (MSC service thread 1-5) ** FIPS mode enabled : false" We also verified that we can login to WAMUI successfully and WA protects resources correctly.

Why does server.log show "** FIPS mode enabled : false" for AdminUI?
Background:

FIPS Modes - Policy Server:

  • COMPAT - Communications in Non-Fips Mode or FIPS Mode. New connections will be attempted in Non-FIPS Mode first. Encryption to Policy Store or User Store will be written with Non-FIPS Algorithms.
  • Migrate - Communications in Non-Fips mode or FIPS Mode. New connections will be attempted in FIPS Mode first. Encryption to Policy Store or User Store will be written with FIPS Algorithms.
  • FIPS Only - Communications will only be done with FIPS Algorithms. Encryption to Policy Store or User Store will be written with FIPS Algorithms.

FIPS Modes - Agent and AdminUI:

  • Non-FIPS - Communications in Non-Fips Mode. Connections/encryption will only be attempted in Non-FIPS Mode.
  • FIPS Only - Communications will only be done Fips Mode. Connections/encryption will only be attempted in FIPS Mode.
Instructions:
WAMUI set MIGRATE mode to communicate with Policy Server on both FIPS& non-FIPS mode. By default, ra.xml shows FIPSMode as false unless Policy Server set FIPS Only mode and you want to set FIPS Only Mode.
You can check C:\Program Files\CA\siteminder\adminui\standalone\data\siteminder\*.conf file for detail. We found useful community article discussed about FIPS mode which might help you with more detail.

To enforce WAMUI from Migrate mode to FIPS-Only mode, set below property to true.

C:\Program Files\CA\siteminder\adminui\standalone\deployments\iam_siteminder.ear\policyserver.rar\META-INF\ra.xml

<config-property>
            <config-property-name>FIPSMode</config-property-name>
            <config-property-type>java.lang.String</config-property-type>
            <config-property-value>true</config-property-value>
        </config-property>

After restart service, the changed message can be found from server.log.
 
WAMUI server.log
server.log will show FIPS mode enabled : true.