FIPS 140 mode is disabled after installation of any product. You can enable FIPS 140 on a clean installation or on an upgrade, and before the broker is started.
Installation of any Smart Assurance product.
- Back up the
imk.dat, brokerConnect.conf, serverConnect.conf,and
clientConnect.conffiles from the existing installation.These files are located in the <BASEDIR>/smarts/local/conf directory.Note: The backup is necessary in case you need to disable FIPS 140 mode and remove FIPS 140-2 encryption.
- Run the following command at the command line prompt:
sm_rebond --upgrade --basedir=/opt/InCharge/<product>/smartsThe path must be set to the default install path.Note: Invoke the
sm_rebondcommand from the BASEDIR where the software is installed and not from any other product installation area which may have the
sm_rebondutility, regardless of the FIPS 140 state.
- When prompted, type
Not a secretas the password phrase password to regenerate the
- Download and install the Java 8 Unlimited Strength Jurisdiction Policy JAR files. These JAR files are required for the FIPS 140 mode for the console, web server, and anything else using Java. The policy files used with earlier releases will not work.
Note: Manual download of Java 8 Unlimited Strength Jurisdiction Policy JAR files local_policy.jar and US_export_policy.jar is not required for anything in the 9.4.x release including the FIPS 140 mode for the console or web server. This manual step is needed only for deployments that use NAS discovery in IP domain manager. For more details refer to NAS chapter in the installation guide. The policy files used with earlier releases will not work.
runcmd_env.shfile located in the <BASEDIR>/smarts/local/conf directory.Note: If you install the server as a service on Linux platforms, the services will start automatically after you issue the
sm_rebondcommand. First stop the services, modify
runcmd_env.shfile, and then manually start the services.
- After you enable FIPS 140 mode, start the Broker, and then the server.
The following message may appear in the server log:
"CI-W-NOCGSS-No certificate loaded for <Smarts product>, generating self-signed certificate".Note: Since FIPS 140 requires secure communication which can be achieved by SSL, a certificate is required. If a certificate is not available, the <Smarts product> generates a self-signed certificate.