When you install an 10.0.0 product, FIPS 140 is not enabled by default. You must enable FIPS 140 on a clean installation or an upgrade, before the servers are started, using the following procedure:

  1. Back up the imk.dat, brokerConnect.conf, serverConnect.conf and clientConnect.conf files from the existing installation. These files are located in the BASEDIR/local/conf folder.


    The backup is necessary in case you need to disable FIPS 140 mode and remove FIPS 140-2 encryption.

  2. Run the following command at the command line prompt:

    For Multicast Manager


                   sm_rebond --upgrade --basedir=/opt/InCharge/MCAST/smarts
                   sm_rebond --upgrade --basedir=C:\InCharge\MCAST\smarts
  3. When prompted, type a password to regenerate the imk.dat file. The default password is Not a secret.


    Older versions of products (prior to 8.1) do not use a FIPS 140-2 approved encryption algorithm to protect the imk.dat file. Hence, while upgrading from older versions of the products to 8.1, the imk.dat file needs to be regenerated in order to run in the FIPS 140 mode.

  4. Download and install the Unlimited Strength Jurisdiction Policy Files using the procedure described in “Preparing Java Runtime for FIPS mode” on page 33.

  5. Set the value for the parameter SM_FIPS140 to TRUE in the runcmd_env.sh file. The file is located under the BASEDIR/smarts/local/conf directory.


    If you install the servers as a service on Linux and Solaris platforms, the services will start automatically after you issue the sm_rebond command. First stop the services, modify SM_FIPS140=TRUE in the runcmd_env.sh file, and then manually start the services.

    After enabling FIPS 140 mode, when you start the broker and the SAM server, you may see the following message in the server log:

    “CI-W-NOCGSS-No certificate loaded for INCHARGE-AM, generating self-signed certificate.”

    This message is generated because FIPS 140 requires secure communication, which can be achieved using SSL. If this certificate is not available, the SAM Manager generates a self-signed certificate. This message is benign in nature and does not impact functionality.