Hi Vishal,
To move to MIGRATE mode, read carefully the following documentation
page. You indeed needs to encrypt again all sensitive data.
Re-Encrypt Existing Sensitive Data for FIPS Migration
Re-encrypt a Policy Store Key
Re-Encrypt the Policy Store Administrator Password
Re-encrypt the Super User Password
Set an Agent to FIPS-Migration Mode
Re-encrypt Client Shared Secrets
Re-encrypt Policy and Key Store Data
Verify that Password Blobs are Re-encrypted
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/upgrading/migrate-your-environment-to-use-fips-compliant-algorithms/re-encrypt-existing-sensitive-data-for-fips-migration.htmlI hope this helps,
Best Regards,
Patrick
Original Message:
Sent: 12-16-2019 05:14 AM
From: Vishal K
Subject: Changing FIPS compatibility mode from COMPAT to MIGRATE
Hi,
We're working on SiteMinder upgrade(Parallel) project wherein we're setting up new environment with R12.8 SP02 with data imported from R12.52 SP02.
The data migration is completed. However, we found that existing CA SiteMinder setup - R12.52 SP02 is with FIPS compatibility mode – MIGRATE and our new setup – R12.8 SP02 is using default FIPS compatibility mode – COMPAT.
We're planning to change CA SSO policy server R12.8 SP02 FIPS compatibility mode from COMPAT to MIGRATE.
Could you please let us know if we need to if there is any impact in existing Policy/Key store? What all things we need to consider prior changing the FIPS compatibility mode in an existing working setup?
Do we need to perform below re-encryptions?
- Re-encrypt Policy Store Key
- Re-encrypt Policy Store Administrator Password
- Host re-registration for all web agents
- Re-encrypt Policy and Key Store
Regards,
Vishal