FIPS 140 mode is disabled after installation of any product. You can enable FIPS 140 on a clean installation or on an upgrade, and before the broker is started.

Prerequisites

Installation of any Domain Manager product.

Procedure

  1. Back up the imk.dat, brokerConnect.conf, serverConnect.conf, and clientConnect.conf files from the existing installation.
    These files are located in the <BASEDIR>/smarts/local/conf directory.
    Note: The backup is necessary in case you need to disable FIPS 140 mode and remove FIPS 140-2 encryption.
  2. Run the following command at the command line prompt: sm_rebond --upgrade --basedir=/opt/InCharge/<product>/smarts
    The path must be set to the default install path.
    Note: Invoke the sm_rebond command from the BASEDIR where the software is installed and not from any other product installation area which may have the sm_rebond utility, regardless of the FIPS 140 state.
  3. When prompted, type Not a secret as the password phrase password to regenerate the imk.dat file.
  4. Download and install the Java 8 Unlimited Strength Jurisdiction Policy JAR files. These JAR files are required for the FIPS 140 mode for the console, web server, and anything else using Java. The policy files used with earlier releases will not work.
    Note: Manual download of Java 8 Unlimited Strength Jurisdiction Policy JAR files local_policy.jar and US_export_policy.jar is not required for anything in the 9.4.x release including the FIPS 140 mode for the console or web server. This manual step is needed only for deployments that use NAS discovery in IP domain manager. For more details refer to NAS chapter in the installation guide. The policy files used with earlier releases will not work.
  5. Set SM_FIPS140=TRUE in the runcmd_env.sh file located in the <BASEDIR>/smarts/local/conf directory.
    Note: If you install the server as a service on Linux platforms, the services will start automatically after you issue the sm_rebond command. First stop the services, modify SM_FIPS140=TRUE in the runcmd_env.sh file, and then manually start the services.
  6. After you enable FIPS 140 mode, start the Broker, and then the server.
    The following message may appear in the server log: "CI-W-NOCGSS-No certificate loaded for <Domain Managers product>, generating self-signed certificate".
    Note: Since FIPS 140 requires secure communication which can be achieved by SSL, a certificate is required. If a certificate is not available, the <Domain Managers product> generates a self-signed certificate.