Symantec Access Management

Hi,

I have to register a new policy server connection (second connection) to an existing WAMUI, I have noticed that  existing connection (first connection) is in FIPS only mode whereas Policy Server and WebAgent is in FIPS Compatibility mode.

1. I would like to know how FIPS mode differs in WAMUI and PS. Will there be any option to select FIPS mode while setting up WAMUI?
2. Won't there be any impact because of this difference in FIPS mode?
3. Does all the Policy Server connections need to be in same FIPS mode in WAMUI? What will be the impact if there is a difference?

Regards,

Dhilip

Hi Dhilip,

Could you please share the value of fipsmode

<adminui_install_location>\server\default\data\siteminder\*.conf

Regards,
Leo Joseph.

Hi Leo,

Thanks for your quick response.

It is fipsmode="MIGRATE"

Regards,

Dhilip

Hi Dhilip,

FIPS Compatibility Mode Setting must be consistent in both Policy Server and Web Agent.

Policy Server and Web Agent cannot be configured in different FIPS Modes

Refer : FIPS Compatibility Mode Setting must be consistent in both Policy Server and Web Agent. 

Hope this helps.

Regards,

Leo Joseph.

Also refer this KB : How to check FIPS mode in Policy server and Web Agent? 

Hi Leo,

Thanks for your response.

As mentioned earlier, Policy Server and WebAgent are in same mode (FIPS Compatibility mode). Only the WAMUI is in different mode (MIGRATE in conf file and FIPS only in WAMUI), that's the reason for queries. Posted the same below.

1. I would like to know how FIPS mode differs in WAMUI and PS. Will there be any option to select FIPS mode while setting up WAMUI?
2. Won't there be any impact because of this difference in FIPS mode?
3. Does all the Policy Server connections need to be in same FIPS mode in WAMUI? What will be the impact if there is a difference?

Regards,

Dhilip

Hi Dhilip,

Administration UI Server Dialog - CA Single Sign-On - 12.6.01 - CA Technologies Documentation 

• FIPS 140-2
  Specifies if the communication between the Administrative UI and the Policy Server is performed in FIPs compatibility mode or FIPs only mode.

Regards,

Leo Joseph.

Hi Leo,

As mentioned earlier, I have to register a new policy server connection (second connection) to an existing WAMUI and I could see that existing connection (first connection) is in FIPS only mode (in WAMUI), that's the reason for queries.

Thanks,

Dhilip

Hi Dhilip,

fipsmode="MIGRATE" can talk to both FIPS Compat & FIPS ONLY. 

If WAMUI is restricted to ONLY mode , you can register PS with FIPS ONLY mode , you can not register PS working COMPAT mode.

Since we can register the WAMUI with multiple Policy Server.

WAMUI is  kept to MIGRATE to communicate to both FIPS COMPAT & FIPS ONLY Policy Server .

Regards,

Leo Joseph.

Hi Joseph,

Thanks for your response. Could you please respond in line for my below queries?

1. In first place, I would like to know how the value of  FIPS mode for the first connection (in WAMUI) is "FIPS only". Will there be any option to select FIPS mode while setting up WAMUI (or) is it the default value for WAMUI?
2. How the value of fipsmode="MIGRATE" in conf file. Is it default value?
3. Could you please let me know the FIPS mode of our WAMUI as I am not sure (because it is fipsmode="MIGRATE" in conf file and FIPS 140 Mode : FIPS only mode in WAMUI)
4. In any case, WAMUI is not in COMPAT mode, so what will be the impact here as our Policy Server and web agent is in COMPAT mode?
5. Assuming that WAMUI is not in FIPS only mode, does all Policy Server connections need to be in same FIPS mode in WAMUI? What will be the impact if there is a difference?

Regards,

Dhilip

Hi Dhilip,

I found this information.

The value that is shown is describing the connection type that the UI has made and is not directly tied to the FIPS mode of the policy server.

Admin UI does not have FIPS modes like Policy server does it uses what ever PS is setup.

If Policy Server set to FIPS Only it will communicate with UI in FIPS only mode.

Regards,

Leo Joseph.

Hi Joseph,

Thanks for your response.

But, I feel your statements conflict each other.

<<

The value that is shown is describing the connection type that the UI has made and is not directly tied to the FIPS mode of the policy server.

Admin UI does not have FIPS modes like Policy server does it uses what ever PS is setup.

>>

Also, by looking at your previous response, I got few more queries in addition to the above. 

   6. Similar to query 1, how to control the FIPS mode of the initial connection (first connection) of WAMUI?

   7. If AdminUI does not have FIPS mode, may I know why we have to choose FIPS mode while registering a policy server connection in WAMUI?

   8. If WAMUI will use the FIPS mode of Policy server, why is it different in our set up (PS - COMPAT, WAMUI - FIPS only)? 

Regards,

Dhilip

Hi all,

A gentle reminder.

Thanks.

Regards,

Dhilip

Hi Dhilip,

Let me start it fresh  

First of all , lets us standard how the keys are encrypted with different FIPS mode settings :

• Compat Mode - read both FIPS/Non FIPS always write non FIPS keys
• Migration Mode - read both FIPS and non FIPS - always generate FIPS keys
• FIPs Only Mode - only read/write FIPS keys

While PS is operating in Compat Mode, it uses RC4-128 bit cipher (Session Keys) to encrypt traffic between Policy Server and Web Agent.

While PS is operating in Migration Mode or FIPs Only Mode, it uses AES-128 bit cipher to encrypt traffic between Policy Server and Web Agent.

Now, coming to your questions :

I would like to know how FIPS mode differs in WAMUI and PS. Will there be any option to select FIPS mode while setting up WAMUI?

Ujwol => For the initial connection from WAMUI to PS, the FIPS mode will be auto chosen based on PS FIPS mode as follows :

If PS is FIPS ONLY -->WAMUI = FIPS ONLY

If PS is FIPS Migrate/Compat --> WAMUI = MIGRATE

There will NOT be an option to select FIPS mode while setting up WAMUI.

Won't there be any impact because of this difference in FIPS mode?

Ujwol => This depends on what the difference is. If you are referring to WAMUI being in MIGRATE and PS being in FIPS Compat/ONLY mode , this is fine.

What you can not have is , WAMUI/Web agent in FIPS ONLY mode and PS in FIPS Compat mode. The reason being in this mode, the Session keys which are used to encrypt the traffic between Policy server and Web Agent is encrypted using NON FIPS complaint algorithm (due to PS being in Compat mode), which WAMUI and Agent can’t decrypt.

Note : WAMUI is nothing but an agent.

Does all the Policy Server connections need to be in same FIPS mode in WAMUI? What will be the impact if there is a difference?

No, there is no requirement to have all the PS connection to be in the same FIPS mode as long as you follow the guide above.

Regards,

Ujwol

Hi Ujwol,

Thanks for providing the detailed information!!

From your previous response, I understood the reason beyond fipsmode="MIGRATE" in conf file (because our PS is in COMPAT mode). I would also like to know the reason beyond "FIPS 140 Mode = FIPS only mode" in WAMUI (for the same/initial connection). Why there is a difference? What does this value represents?

Regards,
Dhilip

Can you share screenshot where you saw FIPS Only for initial connection ?

Hi Ujwol,

PFB.

Regards,

Dhilip

This almost certainly looks like a UI defect. Please open a support ticket to get this fixed.

Hi Ujwol,

Ok. I will so the same. But, could you please confirm if FIPS 140 Mode in console represents the FIPS mode of WAMUI (i.e WAMUI/agent not PS)?

Regards,

Dhilip

Correct. That is how I expect it to work. 

Thanks Ujwol for your response. But now, I have few more queries.

1. I tried registering a new policy server connection in FIPS only mode. As per my understanding from your initial response, if PS is in COMPAT mode and WAMUI is in FIPS only mode, it should not work as WAMUI cannot decrypt the Session key. But, it is working, I have even tried stopping the other PS connection. Am i missing something here?
2. In the conf file, I could see that shared secret is encrypted using AES encryption whereas our PS is in COMPAT mode. May I know the reason for this? I hope shared secret key encryption depends on PS FIPS mode (and not on WAMUI FIPS mode).

Regards,

Dhilip

That's interesting Dhilip and not how I expected it to work.

Could you try this and confirm :

- STOP Policy server (with which you have FIPS mode configured from WAMUI)

- STOP WAMUI 

Test

Hi Ujwol and odojo,

Thanks for your response.

Actually, I didn’t understand the exact scenario which you have asked me to test. Let me tell me our configuration and the test which I have performed.

We have two linux policy servers A and B. Server A has WAMUI installed & setup whereas server B does not have WAMUI. I have registered server B as PS connection on WAMUI in FIPS only mode.

So,

• PS A and B are in COMPAT mode (verified CA_SM_PS_FIPS140 in environmental variable script of both PS)
• Both the PS connections are in FIPS ONLY mode (verified FIPS 140 Mode in WAMUI)
• WAMUI conf file in server A is in MIGRATE mode (verified in ..\siteminder\*.conf file)

As per your comment, I have stopped PS A and then stopped WAMUI in PS A. Now, I have started only the WAMUI in PS A and could see the following lines in server.log file after startup.

 <<

[ConnectionManagedObject] (main) Validating managed object connections...

[ConnectionManagedObject] (main) Validating connection A

[ConnectionManagedObject] (main) Validating connection A success.

[ConnectionManagedObject] (main) Validating connection B

[ConnectionManagedObject] (main) Validating connection B success.

[ConnectionManagedObject] (main) Finished validating managed object conections.

..

..

[ims.default] (main) ** FIPS mode enabled : false

 >>

Then, I tried to connect to server B (by selecting it from server drop down of WAMUI login page) and could see the following lines in server.log.

<<

[com.ca.siteminder.uiagent.Connector] (http-0.0.0.0-xxxx-6) Establishing agent API connection for B

>>

Tried performing few actions in WAMUI. Able to perform successfully.

Actually, now I am very confused.

1. Why am I able to see FIPS mode as false in server.log. Is it because MIGRATE mode in conf file? If yes, then what does FIPS 140 Mode in WAMUI represents?
2. Why AES algorithm is used in ..\siteminder\*.conf file though our PS in in COMPAT mode? Is it like that RC2 algorithm is used by PS in first level of encryption (using PS key) and WAMUI has used AES algorithm during the second level of encryption (using host key)? If yes, why AES algorithm is used as WAMUI is not in FIPS mode (as per server logs)?

Regards,

Dhilip

Hi,

A gentle reminder.

Thanks.

Regards,

Dhilip

A gentle reminder.

Hi all,

Could you please provide your feedback?

Regards,

Dhilip

Hi Dhilip,

1. Why am I able to see FIPS mode as false in server.log. Is it because MIGRATE mode in conf file? If yes, then what does FIPS 140 Mode in WAMUI represents?

Ujwol => Correct. The WAMUI is using MIGRATE mode hence it is logging "FIPS mode enabled : false".

The FIPS 140 mode in WAMUI should have been same as the conf file , but as you confirmed that is not the case, I asked you to create a support case to fix this defect.

2. Why AES algorithm is used in ..\siteminder\*.conf file though our PS in in COMPAT mode? Is it like that RC2 algorithm is used by PS in first level of encryption (using PS key) and WAMUI has used AES algorithm during the second level of encryption (using host key)? If yes, why AES algorithm is used as WAMUI is not in FIPS mode (as per server logs)?

Ujwol => 

Because, in MIGRATE mode :

• Migration Mode - read both FIPS and non FIPS - always generate FIPS keys

Hi Ujwol,

Thanks for your response.

1) But, I guess we missed about the test you have asked me to perform. Could you please provide your feedback regarding the same?

2) I have performed few tests. But, not able to understand the behavior. Could you please explain the reason for the behavior of below highlighted sections?

Set up:

• PS A and B are in COMPAT mode (verified CA_SM_PS_FIPS140)
• Both PS connections are in FIPS ONLY mode (verified FIPS 140 Mode in WAMUI)
• WAMUI conf file in server A is in MIGRATE mode (verified in ..\siteminder\*.conf file)

Test Case 1:
PS A - started
PS B - stopped
WAMUI - restarted
Connecting to PS A using WAMUI - success
Connecting to PS B using WAMUI - blank screen(in WAMUI) and error message(in logs).
PS B - started
Connecting to PS A using WAMUI - success
Connecting to PS B using WAMUI - blank screen(in WAMUI) and error message(in logs).
WAMUI - restarted
Connecting to PS A using WAMUI - success
Connecting to PS B using WAMUI - success

Test Case 2:
PS A - stopped
PS B - started
WAMUI - restarted
Connecting to PS A using WAMUI - blank screen(in WAMUI) and error message(in logs).
Connecting to PS B using WAMUI - success
PS A - started
Connecting to PS A using WAMUI - blank screen(in WAMUI) and error message(in logs).
Connecting to PS B using WAMUI - success
WAMUI - restarted
Connecting to PS A using WAMUI - success
Connecting to PS B using WAMUI - success

Test Case 3:
PS A - started
PS B - started
WAMUI - restarted
Connecting to PS A - success
Connecting to PS B - success
PS A - stopped
Connecting to PS A using WAMUI - blank screen(in WAMUI) and error message(in logs).
Connecting to PS B using WAMUI - success
PS A - started
Connecting to PS A using WAMUI - success
Connecting to PS B using WAMUI - success
PS B - stopped
Connecting to PS A using WAMUI - success
Connecting to PS B using WAMUI - blank screen(in WAMUI) and error message(in logs).
PS B - started
Connecting to PS A using WAMUI - success
Connecting to PS B using WAMUI - success

Error message (from logs):

INFO [com.ca.siteminder.uiagent.UIAgent] (http-0.0.0.0-XXXX-1) Agent API failure
INFO [com.ca.siteminder.uiagent.UIAgent] (http-0.0.0.0-XXXX-1) Previous error was recoverable, retrying command
ERROR [com.ca.siteminder.framework.xps.security.AdministratorRelationship] (http-0.0.0.0-XXXX-1) Failed to fetch administrator record for user: [XXXX] uid=XXXX,ou=XXXX,dc=XXXX,dc=XXXX
[facility=0 severity=3 reason=0 status=8 message=Tunnel Agent failure]
at com.ca.siteminder.uiagent.UIAgentUtil.extractWrappedException(Unknown Source)

Regards,

Dhilip

Hi Dhilip,

We first need to fix the mismatch of FIPS mode in Admin UI vs conf file ..That is creating all the confusion for you.

I suggest that we open a ticket and get that fixed first. I am sure once that is fixed, that will clarify your questions but if not we can come back and look into it.

I don't think it will be worthwhile making hypothesis , unless we have an underlying bug fixed first.

Regards,

Ujwol

Hi Ujwol,

Thanks for your response. Happy New Year!

Created a new support ticket for resolving the mismatch of FIPS mode. Please keep this thread open so that I can take it up (directly from here) once the bug/issue is fixed.

Regards,

Dhilip

Sure thanks. Happy New Year to you too.

Hi Ujwol,

Just an update, I am still in contact with Support team and Engineering team regarding this. Will keep you updated.

Thanks.

Regards,

Dhilip

The way I understand the FIPS Modes is the following.

FIPS Modes - Policy Server:

• COMPAT - Communications in Non-Fips Mode or FIPS Mode. New connections will be attempted in Non-FIPS Mode first. Encryption to Policy Store or User Store will be written with Non-FIPS Algorithms.
• Migrate - Communications in Non-Fips mode or FIPS Mode. New connections will be attempted in FIPS Mode first. Encryption to Policy Store or User Store will be written with FIPS Algorithms.
• FIPS Only - Communications will only be done with FIPS Algorithms. Encryption to Policy Store or User Store will be written with FIPS Algorithms.

FIPS Modes - Agent and AdminUI:

• Non-FIPS - Communications in Non-Fips Mode. Connections/encryption will only be attempted in Non-FIPS Mode.
• FIPS Only - Communications will only be done Fips Mode. Connections/encryption will only be attempted in FIPS Mode.