Hi Dhilip,
Let me start it fresh
First of all , lets us standard how the keys are encrypted with different FIPS mode settings :
- Compat Mode - read both FIPS/Non FIPS always write non FIPS keys
- Migration Mode - read both FIPS and non FIPS - always generate FIPS keys
- FIPs Only Mode - only read/write FIPS keys
While PS is operating in Compat Mode, it uses RC4-128 bit cipher (Session Keys) to encrypt traffic between Policy Server and Web Agent.
While PS is operating in Migration Mode or FIPs Only Mode, it uses AES-128 bit cipher to encrypt traffic between Policy Server and Web Agent.
Now, coming to your questions :
I would like to know how FIPS mode differs in WAMUI and PS. Will there be any option to select FIPS mode while setting up WAMUI?
Ujwol => For the initial connection from WAMUI to PS, the FIPS mode will be auto chosen based on PS FIPS mode as follows :
If PS is FIPS ONLY -->WAMUI = FIPS ONLY
If PS is FIPS Migrate/Compat --> WAMUI = MIGRATE
There will NOT be an option to select FIPS mode while setting up WAMUI.
Won't there be any impact because of this difference in FIPS mode?
Ujwol => This depends on what the difference is. If you are referring to WAMUI being in MIGRATE and PS being in FIPS Compat/ONLY mode , this is fine.
What you can not have is , WAMUI/Web agent in FIPS ONLY mode and PS in FIPS Compat mode. The reason being in this mode, the Session keys which are used to encrypt the traffic between Policy server and Web Agent is encrypted using NON FIPS complaint algorithm (due to PS being in Compat mode), which WAMUI and Agent can’t decrypt.
Note : WAMUI is nothing but an agent.
Does all the Policy Server connections need to be in same FIPS mode in WAMUI? What will be the impact if there is a difference?
No, there is no requirement to have all the PS connection to be in the same FIPS mode as long as you follow the guide above.
Regards,
Ujwol