Upgrading from a FIPS-enabled environment
Upgrading from a FIPS-enabled environment
About this task
To ensure FIPS compliance, all HCL Workload Automation components must be at
version 10.2.5 or later, certificates must employ at least a robust 2K RSA key and use
encryption algorithms different from MD5-RSA and
SHA1-RSA. FIPS is supported on all supported
operating systems with the exception of IBM i operating systems.
When upgrading from an environment where FIPS is enabled, you can
encounter one of the following situations:
- If certificates do not meet FIPS standards
- An error message is displayed stating that the current security configuration does not support FIPS mode and the upgrade stops. To enable FIPS in full mode, proceed to step 1.
- If certificates meet FIPS standards
- You can upgrade and maintain FIPS enabled. Proceed to step 2.
To make your environment FIPS compliant, perform the procedure described below on all components in your environment.
Procedure
- If your current certificates do not meet FIPS standards, replace them with CA-signed certificates, as explained in Replacing Default SSL Certificates with CA signed Customer Certificates.
- On the master domain manager, start the upgrade procedure, as described in Upgrading from the CLI. HCL Workload Automation discovers that FIPS is enabled in the source environment and proceeds with enabling it in the target environment.
- The upgrade completes, enabling FIPS in weak mode. When in weak mode, the upgraded master domain manager can communicate with back-level components, ensuring business continuity.
-
On the master domain manager, run
the following command to set the environment variables:
. ./tws_env.sh -
On the master domain manager, run
the following command to verify the security status:
A message similar to the following is displayed:secure -checksecurity
As stated in the message, before you set up FIPS in full mode on the master domain manager, it is necessary to upgrade all components in your environment to version 10.2.5 or later.FIPS configuration updated in weak mode. To enable full FIPS mode, update the master domain manager and all backup master domain managers to the current release. Then, run the secure -updatesecurity command on master domain manager. - Upgrade the remaining server components (backup master domain manager, dynamic domain manager, backup dynamic domain manager) if any, as described in Upgrading from the CLI.
- Upgrade the Dynamic Workload Console.
- Upgrade the agents.
-
On the master domain manager, run
the following command to check the encryption level of user passwords in the
database and change it from 3DES to AES, if necessary:
This command also sets the useAESEncryptionAlgorithm optman option to yes For more information about global options, see Global options - detailed description.secure -updatesecurity -
On the master domain manager and
backup master domain manager, run
the following command to set FIPS in full mode:
The master domain manager switches to full FIPS mode after HCL Workload Automation processes are restarted. For more information about the secure command, see Optional password encryption - secure script.secure -fips on -
Restart the master domain manager
and backup master domain manager to make
the switch to full FIPS mode effective. To avoid service
interruptions, use the following command:
For more information, see Switching a domain manager.switchmgr domain;newmgr -
On the Dynamic Workload Console, run
the following command to set the environment variables:
. ./dwc_env.sh -
On the Dynamic Workload Console, run
the following command to set FIPS in full mode:
secure -fips on -
On each agent, run the following command to set the environment
variables:
. ./tws_env.sh -
On each agent, run the following command to set FIPS in full mode:
secure -fips on - Restart all HCL Workload Automation processes on the Dynamic Workload Console and agents to make changes to FIPS configuration effective. To prevent communication problems after switching to full FIPS mode, ensure you perform a coordinated restart of the various components.