Step 22. Activating support for FIPS standard over SSL secured connections

Secure Sockets Layer (SSL) is a communications protocol that provides secure communications over an open communications network (for example, the Internet).

Federal Information Processing Standard Security Requirements for Cryptographic Modules, referred to as FIPS 140-2, is a standard published by the National Institute of Standards and Technology (NIST). Organizations can require compliance to the FIPS 140-2 standard to provide protection for sensitive or valuable data to cryptographic-based security systems.

System SSL was designed to meet the Federal Information Processing Standard - FIPS 140-2 Level 1 criteria.

System SSL can run in either "FIPS mode" or "non-FIPS mode". By default, System SSL runs in "non-FIPS" mode.

HCL Workload Automation for Z uses the System SSL configuration. To run HCL Workload Automation for Z in "FIPS mode", you must enable FIPS compliance over System SSL connections.

For more information about the following topics, see :
  • How to enable FIPS compliance over System SSL connections
  • System prerequisites
  • Differences between FIPS mode and non-FIPS mode algorithm support and keys sizes
Note: Algorithm support and key sizes are different when FIPS-mode is set.
The HCL Workload Automation for Z communications that can implement FIPS 140-2 Level 1 standards over a secured SSL connection are:
Backup Controller Communication task for communication between the controller and backup controller
To enable FIPS 140-2 compliance for this communication, set ENABLEFIPS to YES in the BKPTOPTS initialization statement.
HTTP client and server and output collector for communication with the z-centric agents

For information about how to set up FIPS 140-2 compliance for this communication, see Enabling FIPS compliance over HCL Workload Automation for Z server SSL secured connection.

IP task for communication between the controller and tracker, server, datastore, remote ISPF dialog
To enable FIPS 140-2 compliance for this communication, set ENABLEFIPS to YES in the TCPOPTS initialization statement.
Note: Ensure that you run the initialization statements before starting HCL Workload Automation for Z to ensure the use of FIPS standards over that specific SSL secured connection.

You do not need to apply FIPS compliance to all communications; you can decide which communications run in "FIPS-mode" and which run in "non-FIPS mode".

If FIPS compliance is not required by your organization, you can continue to use SSL for secure connections across your network.