Symantec Access Management

Expand all | Collapse all

CA SSO :  FIPS modes

Dhilip kumar Mari12-18-2017 12:42 AM

  • 1.  CA SSO :  FIPS modes

    Posted 12-14-2017 01:34 AM

    Hi,

     

    I have to register a new policy server connection (second connection) to an existing WAMUI, I have noticed that  existing connection (first connection) is in FIPS only mode whereas Policy Server and WebAgent is in FIPS Compatibility mode.

     

    1. I would like to know how FIPS mode differs in WAMUI and PS. Will there be any option to select FIPS mode while setting up WAMUI?
    2. Won't there be any impact because of this difference in FIPS mode?
    3. Does all the Policy Server connections need to be in same FIPS mode in WAMUI? What will be the impact if there is a difference?

     

    Regards,

    Dhilip



  • 2.  Re: CA SSO :  FIPS modes

    Posted 12-14-2017 02:08 AM

    Hi Dhilip,

     

    Could you please share the value of fipsmode

     

    <adminui_install_location>\server\default\data\siteminder\*.conf

     

    Regards,
    Leo Joseph.



  • 3.  Re: CA SSO :  FIPS modes

    Posted 12-14-2017 02:26 AM

    Hi Leo,

     

    Thanks for your quick response.

     

    It is fipsmode="MIGRATE"

     

    Regards,

    Dhilip



  • 4.  Re: CA SSO :  FIPS modes

    Posted 12-14-2017 02:33 AM

    Hi Dhilip,

     

    FIPS Compatibility Mode Setting must be consistent in both Policy Server and Web Agent.

     

    Policy Server and Web Agent cannot be configured in different FIPS Modes

     

    Refer : FIPS Compatibility Mode Setting must be consistent in both Policy Server and Web Agent. 

     

    Hope this helps.

     

    Regards,

    Leo Joseph.



  • 5.  Re: CA SSO :  FIPS modes

    Posted 12-14-2017 02:35 AM


  • 6.  Re: CA SSO :  FIPS modes

    Posted 12-14-2017 03:23 AM

    Hi Leo,

     

    Thanks for your response.

     

    As mentioned earlier, Policy Server and WebAgent are in same mode (FIPS Compatibility mode). Only the WAMUI is in different mode (MIGRATE in conf file and FIPS only in WAMUI), that's the reason for queries. Posted the same below.

     

    1. I would like to know how FIPS mode differs in WAMUI and PS. Will there be any option to select FIPS mode while setting up WAMUI?
    2. Won't there be any impact because of this difference in FIPS mode?
    3. Does all the Policy Server connections need to be in same FIPS mode in WAMUI? What will be the impact if there is a difference?

     

    Regards,

    Dhilip



  • 7.  Re: CA SSO :  FIPS modes

    Posted 12-14-2017 03:31 AM

    Hi Dhilip,

     

    Administration UI Server Dialog - CA Single Sign-On - 12.6.01 - CA Technologies Documentation 

     

    • FIPS 140-2
      Specifies if the communication between the Administrative UI and the Policy Server is performed in FIPs compatibility mode or FIPs only mode.

     

    Regards,

    Leo Joseph.



  • 8.  Re: CA SSO :  FIPS modes

    Posted 12-14-2017 03:48 AM

    Hi Leo,

     

    As mentioned earlier, I have to register a new policy server connection (second connection) to an existing WAMUI and I could see that existing connection (first connection) is in FIPS only mode (in WAMUI), that's the reason for queries.

     

    Thanks,

    Dhilip



  • 9.  Re: CA SSO :  FIPS modes

    Posted 12-14-2017 04:34 AM

    Hi Dhilip,

     

    fipsmode="MIGRATE" can talk to both FIPS Compat & FIPS ONLY. 

     

    If WAMUI is restricted to ONLY mode , you can register PS with FIPS ONLY mode , you can not register PS working COMPAT mode.

     

    Since we can register the WAMUI with multiple Policy Server.

     

    WAMUI is  kept to MIGRATE to communicate to both FIPS COMPAT & FIPS ONLY Policy Server .

     

    Regards,

    Leo Joseph.



  • 10.  Re: CA SSO :  FIPS modes

    Posted 12-14-2017 05:11 AM

    Hi Joseph,

     

    Thanks for your response. Could you please respond in line for my below queries?

     

    1. In first place, I would like to know how the value of  FIPS mode for the first connection (in WAMUI) is "FIPS only". Will there be any option to select FIPS mode while setting up WAMUI (or) is it the default value for WAMUI?
    2. How the value of fipsmode="MIGRATE" in conf file. Is it default value?
    3. Could you please let me know the FIPS mode of our WAMUI as I am not sure (because it is fipsmode="MIGRATE" in conf file and FIPS 140 Mode : FIPS only mode in WAMUI)
    4. In any case, WAMUI is not in COMPAT mode, so what will be the impact here as our Policy Server and web agent is in COMPAT mode?
    5. Assuming that WAMUI is not in FIPS only mode, does all Policy Server connections need to be in same FIPS mode in WAMUI? What will be the impact if there is a difference?

     

    Regards,

    Dhilip



  • 11.  Re: CA SSO :  FIPS modes

    Posted 12-14-2017 06:24 AM

    Hi Dhilip,

     

    I found this information.

     

    The value that is shown is describing the connection type that the UI has made and is not directly tied to the FIPS mode of the policy server.

     

    Admin UI does not have FIPS modes like Policy server does it uses what ever PS is setup.

    If Policy Server set to FIPS Only it will communicate with UI in FIPS only mode.

     

    Regards,

    Leo Joseph.



  • 12.  Re: CA SSO :  FIPS modes

    Posted 12-14-2017 07:28 AM

    Hi Joseph,

     

    Thanks for your response.

     

    But, I feel your statements conflict each other.

     

    <<

    The value that is shown is describing the connection type that the UI has made and is not directly tied to the FIPS mode of the policy server.

     

    Admin UI does not have FIPS modes like Policy server does it uses what ever PS is setup.

    >>

     

    Also, by looking at your previous response, I got few more queries in addition to the above. 

     

       6. Similar to query 1, how to control the FIPS mode of the initial connection (first connection) of WAMUI?

       7. If AdminUI does not have FIPS mode, may I know why we have to choose FIPS mode while registering a policy server connection in WAMUI?

       8. If WAMUI will use the FIPS mode of Policy server, why is it different in our set up (PS - COMPAT, WAMUI - FIPS only)? 

     

    Regards,

    Dhilip



  • 13.  Re: CA SSO :  FIPS modes

    Posted 12-15-2017 06:49 AM

    Hi all,

     

    A gentle reminder.

    Thanks.

     

    Regards,

    Dhilip



  • 14.  Re: CA SSO :  FIPS modes

    Posted 12-17-2017 05:19 PM

    Hi Dhilip,

     

    Let me start it fresh  

     

    First of all , lets us standard how the keys are encrypted with different FIPS mode settings :

    • Compat Mode - read both FIPS/Non FIPS always write non FIPS keys
    • Migration Mode - read both FIPS and non FIPS - always generate FIPS keys
    • FIPs Only Mode - only read/write FIPS keys

     

    While PS is operating in Compat Mode, it uses RC4-128 bit cipher (Session Keys) to encrypt traffic between Policy Server and Web Agent.

    While PS is operating in Migration Mode or FIPs Only Mode, it uses AES-128 bit cipher to encrypt traffic between Policy Server and Web Agent.

     

    Now, coming to your questions :

     

    I would like to know how FIPS mode differs in WAMUI and PS. Will there be any option to select FIPS mode while setting up WAMUI?

     

    Ujwol => For the initial connection from WAMUI to PS, the FIPS mode will be auto chosen based on PS FIPS mode as follows :

    If PS is FIPS ONLY -->WAMUI = FIPS ONLY

    If PS is FIPS Migrate/Compat --> WAMUI = MIGRATE

     

    There will NOT be an option to select FIPS mode while setting up WAMUI.

     

    Won't there be any impact because of this difference in FIPS mode?

     

    Ujwol => This depends on what the difference is. If you are referring to WAMUI being in MIGRATE and PS being in FIPS Compat/ONLY mode , this is fine.

    What you can not have is , WAMUI/Web agent in FIPS ONLY mode and PS in FIPS Compat mode. The reason being in this mode, the Session keys which are used to encrypt the traffic between Policy server and Web Agent is encrypted using NON FIPS complaint algorithm (due to PS being in Compat mode), which WAMUI and Agent can’t decrypt.

    Note : WAMUI is nothing but an agent.

     

    Does all the Policy Server connections need to be in same FIPS mode in WAMUI? What will be the impact if there is a difference?

    No, there is no requirement to have all the PS connection to be in the same FIPS mode as long as you follow the guide above.

     

    Regards,

    Ujwol



  • 15.  Re: CA SSO :  FIPS modes

    Posted 12-18-2017 12:32 AM

    Hi Ujwol,

     

    Thanks for providing the detailed information!!

     

    From your previous response, I understood the reason beyond fipsmode="MIGRATE" in conf file (because our PS is in COMPAT mode). I would also like to know the reason beyond "FIPS 140 Mode = FIPS only mode" in WAMUI (for the same/initial connection). Why there is a difference? What does this value represents?

     

    Regards,
    Dhilip



  • 16.  Re: CA SSO :  FIPS modes

    Posted 12-18-2017 12:34 AM

    Can you share screenshot where you saw FIPS Only for initial connection ?



  • 17.  Re: CA SSO :  FIPS modes

    Posted 12-18-2017 12:42 AM

    Hi Ujwol,

     

    PFB.

     

    Regards,

    Dhilip



  • 18.  Re: CA SSO :  FIPS modes

    Posted 12-18-2017 12:58 AM

    This almost certainly looks like a UI defect. Please open a support ticket to get this fixed.



  • 19.  Re: CA SSO :  FIPS modes

    Posted 12-18-2017 01:12 AM

    Hi Ujwol,

     

    Ok. I will so the same. But, could you please confirm if FIPS 140 Mode in console represents the FIPS mode of WAMUI (i.e WAMUI/agent not PS)?

     

    Regards,

    Dhilip



  • 20.  Re: CA SSO :  FIPS modes

    Posted 12-18-2017 01:19 AM

    Correct. That is how I expect it to work. 



  • 21.  Re: CA SSO :  FIPS modes

    Posted 12-18-2017 01:31 AM

    Thanks Ujwol for your response. But now, I have few more queries.

     

    1. I tried registering a new policy server connection in FIPS only mode. As per my understanding from your initial response, if PS is in COMPAT mode and WAMUI is in FIPS only mode, it should not work as WAMUI cannot decrypt the Session key. But, it is working, I have even tried stopping the other PS connection. Am i missing something here?
    2. In the conf file, I could see that shared secret is encrypted using AES encryption whereas our PS is in COMPAT mode. May I know the reason for this? I hope shared secret key encryption depends on PS FIPS mode (and not on WAMUI FIPS mode).

     

    Regards,

    Dhilip



  • 22.  Re: CA SSO :  FIPS modes

    Posted 12-18-2017 05:05 PM

    That's interesting Dhilip and not how I expected it to work.

     

    Could you try this and confirm :

    - STOP Policy server (with which you have FIPS mode configured from WAMUI)

    - STOP WAMUI 

    Test



  • 23.  Re: CA SSO :  FIPS modes

    Posted 12-19-2017 01:04 AM

    Hi Ujwol and odojo,

     

    Thanks for your response.

     

    Actually, I didn’t understand the exact scenario which you have asked me to test. Let me tell me our configuration and the test which I have performed.

     

    We have two linux policy servers A and B. Server A has WAMUI installed & setup whereas server B does not have WAMUI. I have registered server B as PS connection on WAMUI in FIPS only mode.

     

    So,

    • PS A and B are in COMPAT mode (verified CA_SM_PS_FIPS140 in environmental variable script of both PS)
    • Both the PS connections are in FIPS ONLY mode (verified FIPS 140 Mode in WAMUI)
    • WAMUI conf file in server A is in MIGRATE mode (verified in ..\siteminder\*.conf file)

     

    As per your comment, I have stopped PS A and then stopped WAMUI in PS A. Now, I have started only the WAMUI in PS A and could see the following lines in server.log file after startup.

     <<

    [ConnectionManagedObject] (main) Validating managed object connections...

    [ConnectionManagedObject] (main) Validating connection A

    [ConnectionManagedObject] (main) Validating connection A success.

    [ConnectionManagedObject] (main) Validating connection B

    [ConnectionManagedObject] (main) Validating connection B success.

    [ConnectionManagedObject] (main) Finished validating managed object conections.

    ..

    ..

    [ims.default] (main) ** FIPS mode enabled : false

     >>

     

    Then, I tried to connect to server B (by selecting it from server drop down of WAMUI login page) and could see the following lines in server.log.

    <<

    [com.ca.siteminder.uiagent.Connector] (http-0.0.0.0-xxxx-6) Establishing agent API connection for B

    >>

     

    Tried performing few actions in WAMUI. Able to perform successfully.

     

    Actually, now I am very confused.

    1. Why am I able to see FIPS mode as false in server.log. Is it because MIGRATE mode in conf file? If yes, then what does FIPS 140 Mode in WAMUI represents?
    2. Why AES algorithm is used in ..\siteminder\*.conf file though our PS in in COMPAT mode? Is it like that RC2 algorithm is used by PS in first level of encryption (using PS key) and WAMUI has used AES algorithm during the second level of encryption (using host key)? If yes, why AES algorithm is used as WAMUI is not in FIPS mode (as per server logs)?

     

    Regards,

    Dhilip



  • 24.  Re: CA SSO :  FIPS modes

    Posted 12-21-2017 01:51 AM

    Hi,

     

    A gentle reminder.

    Thanks.

     

    Regards,

    Dhilip



  • 25.  Re: CA SSO :  FIPS modes

    Posted 12-22-2017 02:55 AM

    A gentle reminder.



  • 26.  Re: CA SSO :  FIPS modes

    Posted 12-26-2017 12:21 AM

    Hi all,

     

    Could you please provide your feedback?

     

    Regards,

    Dhilip



  • 27.  Re: CA SSO :  FIPS modes

    Posted 12-27-2017 05:06 PM

    Hi Dhilip,

     

    1. Why am I able to see FIPS mode as false in server.log. Is it because MIGRATE mode in conf file? If yes, then what does FIPS 140 Mode in WAMUI represents?

     

    Ujwol => Correct. The WAMUI is using MIGRATE mode hence it is logging "FIPS mode enabled : false".

    The FIPS 140 mode in WAMUI should have been same as the conf file , but as you confirmed that is not the case, I asked you to create a support case to fix this defect.

     

    2. Why AES algorithm is used in ..\siteminder\*.conf file though our PS in in COMPAT mode? Is it like that RC2 algorithm is used by PS in first level of encryption (using PS key) and WAMUI has used AES algorithm during the second level of encryption (using host key)? If yes, why AES algorithm is used as WAMUI is not in FIPS mode (as per server logs)?

     

    Ujwol => 

    Because, in MIGRATE mode :

    • Migration Mode - read both FIPS and non FIPS - always generate FIPS keys

     



  • 28.  Re: CA SSO :  FIPS modes

    Posted 12-28-2017 07:31 AM

    Hi Ujwol,

     

    Thanks for your response.

     

    1) But, I guess we missed about the test you have asked me to perform. Could you please provide your feedback regarding the same?

     

    2) I have performed few tests. But, not able to understand the behavior. Could you please explain the reason for the behavior of below highlighted sections?

     

    Set up:

    • PS A and B are in COMPAT mode (verified CA_SM_PS_FIPS140)
    • Both PS connections are in FIPS ONLY mode (verified FIPS 140 Mode in WAMUI)
    • WAMUI conf file in server A is in MIGRATE mode (verified in ..\siteminder\*.conf file)

    Test Case 1:
    PS A - started
    PS B - stopped
    WAMUI - restarted
    Connecting to PS A using WAMUI - success
    Connecting to PS B using WAMUI - blank screen(in WAMUI) and error message(in logs).
    PS B - started
    Connecting to PS A using WAMUI - success
    Connecting to PS B using WAMUI - blank screen(in WAMUI) and error message(in logs).
    WAMUI - restarted
    Connecting to PS A using WAMUI - success
    Connecting to PS B using WAMUI - success


    Test Case 2:
    PS A - stopped
    PS B - started
    WAMUI - restarted
    Connecting to PS A using WAMUI - blank screen(in WAMUI) and error message(in logs).
    Connecting to PS B using WAMUI - success
    PS A - started
    Connecting to PS A using WAMUI - blank screen(in WAMUI) and error message(in logs).
    Connecting to PS B using WAMUI - success
    WAMUI - restarted
    Connecting to PS A using WAMUI - success
    Connecting to PS B using WAMUI - success

     

    Test Case 3:
    PS A - started
    PS B - started
    WAMUI - restarted
    Connecting to PS A - success
    Connecting to PS B - success
    PS A - stopped
    Connecting to PS A using WAMUI - blank screen(in WAMUI) and error message(in logs).
    Connecting to PS B using WAMUI - success
    PS A - started
    Connecting to PS A using WAMUI - success
    Connecting to PS B using WAMUI - success
    PS B - stopped
    Connecting to PS A using WAMUI - success
    Connecting to PS B using WAMUI - blank screen(in WAMUI) and error message(in logs).
    PS B - started
    Connecting to PS A using WAMUI - success
    Connecting to PS B using WAMUI - success

     

    Error message (from logs):

    INFO [com.ca.siteminder.uiagent.UIAgent] (http-0.0.0.0-XXXX-1) Agent API failure
    INFO [com.ca.siteminder.uiagent.UIAgent] (http-0.0.0.0-XXXX-1) Previous error was recoverable, retrying command
    ERROR [com.ca.siteminder.framework.xps.security.AdministratorRelationship] (http-0.0.0.0-XXXX-1) Failed to fetch administrator record for user: [XXXX] uid=XXXX,ou=XXXX,dc=XXXX,dc=XXXX
    [facility=0 severity=3 reason=0 status=8 message=Tunnel Agent failure]
    at com.ca.siteminder.uiagent.UIAgentUtil.extractWrappedException(Unknown Source)

     

    Regards,

    Dhilip



  • 29.  Re: CA SSO :  FIPS modes

    Posted 01-01-2018 05:20 PM

    Hi Dhilip,

     

    We first need to fix the mismatch of FIPS mode in Admin UI vs conf file ..That is creating all the confusion for you.

    I suggest that we open a ticket and get that fixed first. I am sure once that is fixed, that will clarify your questions but if not we can come back and look into it.

     

    I don't think it will be worthwhile making hypothesis , unless we have an underlying bug fixed first.


    Regards,

    Ujwol



  • 30.  Re: CA SSO :  FIPS modes

    Posted 01-02-2018 01:12 AM

    Hi Ujwol,

     

    Thanks for your response. Happy New Year!

     

    Created a new support ticket for resolving the mismatch of FIPS mode. Please keep this thread open so that I can take it up (directly from here) once the bug/issue is fixed.

     

    Regards,

    Dhilip



  • 31.  Re: CA SSO :  FIPS modes

    Posted 01-02-2018 01:14 AM

    Sure thanks. Happy New Year to you too.



  • 32.  Re: CA SSO :  FIPS modes

    Posted 01-31-2018 02:02 AM

    Hi Ujwol,

     

    Just an update, I am still in contact with Support team and Engineering team regarding this. Will keep you updated.

    Thanks.

     

    Regards,

    Dhilip



  • 33.  Re: CA SSO :  FIPS modes

    Broadcom Employee
    Posted 12-18-2017 04:55 PM

    The way I understand the FIPS Modes is the following.

    FIPS Modes - Policy Server:

    • COMPAT - Communications in Non-Fips Mode or FIPS Mode. New connections will be attempted in Non-FIPS Mode first. Encryption to Policy Store or User Store will be written with Non-FIPS Algorithms.
    • Migrate - Communications in Non-Fips mode or FIPS Mode. New connections will be attempted in FIPS Mode first. Encryption to Policy Store or User Store will be written with FIPS Algorithms.
    • FIPS Only - Communications will only be done with FIPS Algorithms. Encryption to Policy Store or User Store will be written with FIPS Algorithms.

    FIPS Modes - Agent and AdminUI:

    • Non-FIPS - Communications in Non-Fips Mode. Connections/encryption will only be attempted in Non-FIPS Mode.
    • FIPS Only - Communications will only be done Fips Mode. Connections/encryption will only be attempted in FIPS Mode.