Symantec Privileged Access Management

 View Only
  • 1.  settings the fips mode

    Posted Apr 07, 2020 12:57 AM
    ​Hello,

    product : PAMSC for Linux

    Looking through the below page, I understood that there was the FIPS mode on PIM.

    <Enable SSL Encryption
    Broadcom remove preview
    Enable SSL Encryption
    If you are changing the encryption settings on a an Enterprise Management Server, also stop the Privileged Identity Manager Web Service. Change the value of the communication_mode configuration setting in the crypto section to of the following: Specify this value if you want to enable both symmetric and SSL encryption.
    View this on Broadcom >
    >

    However, I was not able to find out how to set the FIPs mode on a Unix server.
    Could you someone know hot to set it on PIM/LIinux ?

    Regards,
    UCHIDA Akio


  • 2.  RE: settings the fips mode
    Best Answer

    Broadcom Employee
    Posted Apr 07, 2020 02:34 AM

    Hello    

     

    To do so please set in seos.ini

    fips_only=1

     

    This forces communication based on the LCA protocol, like  policyfetcher - DH communication, to use TLSv1.2 over port 5249

     

    Note, any setting for communication_mode in seos.ini is ignored if fips_only=1 is set.

     

    Please see also our documentation

     

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager-server-control/14-1/release-notes/fips-compliance.html

     

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager-server-control/14-1/reference/configuration-files/the-seos-ini-initialization-file/crypto.html

     

     

    Best Regards,

    Andreas

     






  • 3.  RE: settings the fips mode

    Posted Apr 08, 2020 12:49 AM

    Hello,

     

    Thank you for your quick response.

    I understood how to set the FIPS mode.

     

    Please accept other questions.

    One of our users has to prohibit transactions with 3DES encryption.

    Is there any way to do except for setting FIPS mode?

     

    Also, this is a just confirmation.

    If we set fips mode, 3DES transactions are automatically prohibited.

    Am I right?

     

    Regards,

    UCHIDA Akio




  • 4.  RE: settings the fips mode

    Broadcom Employee
    Posted Apr 08, 2020 02:54 AM

    That is correct

     

    As mentioned before, fips_only=1 forces LCA communication to use TLSv1.2 only over port 5249

     

    Best Regards,

    Andreas

     






  • 5.  RE: settings the fips mode

    Posted Apr 13, 2020 02:55 AM

    Hi,

     

    Thank you for your kind explanation.

    The user is planning to apply the FIPS mode.

     

    Looking through the manual, we found below description.

    -----

    FIPS Compliance Considerations

     

    Consider the following points:

    When moving from non-FIPS to FIPS, the policy model cannot read old commands.

    -----

     

    We are currently not able to grasp precisely what we have to take it consideration.

    I'm guessing that this implies there is a service impact to PMDB server(s), when the they set the fips mode.

    Right?

    Is there any description indicating concrete steps they should follow when applying the mode?

     

    Regards.

    UCHIDA Akio




  • 6.  RE: settings the fips mode

    Posted Apr 16, 2020 10:40 PM
    Could you someone kindly check this?

    Regards,
    UCHIDA Akio