There are two components to AppManager FIPS compliance:
The FIPS-compliant algorithms that AppManager uses for security levels 1 and 2
FIPS compliance does not affect unencrypted communications.
The Control Center console FIPS-only compliance flag
AppManager implements FIPS-compliant algorithms for security levels 1 and 2. These algorithms secure communication between repositories, management servers, and agents. AppManager retains non-compliant encryption algorithms for backward compatibility with earlier versions of AppManager and supports a mix of FIPS-compliant and non-FIPS-compliant components. For security levels 1 and 2, FIPS-compliant components communicate with each other using FIPS-compliant algorithms and communicate with non-FIPS-compliant components using non-FIPS-compliant encryption algorithms.
AppManager FIPS compliance is independent of operating system FIPS compliance.
The Control Center console offers an option to use only FIPS-compliant security algorithms for security levels 1 and 2. If you choose to implement this option, AppManager no longer supports a mixed security environment and any non-FIPS-compliant AppManager components are no longer available. When you enforce FIPS compliance for AppManager, the following restrictions exist:
QDBs, management servers, and agents that Control Center manages must use FIPS-compliant algorithms for communication. Non-FIPS-compliant AppManager components are excluded and unreachable with this option.
AppManager consoles are no longer able to create SQL user accounts or add QDBs using SQL authentication.
NOTE:If the computer hosting an AppManager console enables FIPS compliance at the operating system level, SQL authentication is disabled and you must use Windows authentication to log on to the console.
Use the Security options to enable the Control Center console FIPS-only compliance flag. Any time you change this option you must restart the management servers so they will recognize the new security settings.
If you plan to configure AppManager to use FIPS-compliant algorithms, consider the following:
SQL authentication is not FIPS-compliant under AppManager. If you plan to activate the option Use only FIPS-compliant security algorithms in your environment with security level 1 or 2, ensure that you meet the following requirements:
Install repositories, management servers, and agents to use Windows authentication.
Configure Kerberos delegation to use Windows authentication. For more information, see Microsoft article 326089 ( http://support.microsoft.com/kb/326089).
Earlier AppManager releases are not FIPS-compliant. If you install this AppManager release into an existing AppManager environment and enable the Control Center option Use only FIPS-compliant security algorithms with security level 1 or 2, all AppManager components that are not FIPS-compliant are excluded and unreachable from FIPS-compliant components. For example:
Older agents cannot communicate with this management server version.
This version of the management server cannot access earlier QDB versions.
NetIQ Corporation recommends that if you upgrade an existing AppManager environment to use FIPS-only compliance, you upgrade all components in the environment to FIPS-compliant versions.
This AppManager version can coexist with earlier AppManager components when FIPS-only compliance is not enabled. This AppManager version uses FIPS-compliant algorithms to encrypt communications to FIPS-compliant components and retains legacy algorithms to encrypt communications to older AppManager components.
Enabling the option Use only FIPS-compliant security algorithms has the following effects on communications between components:
For AppManager security level 0, FIPS-compliant and non-FIPS-compliant AppManager components can coexist. NetIQ Corporation does not recommend this combination of options as it secures AppManager to use only FIPS-compliant encryption algorithms and disables encryption. Agents, management servers, and QDBs communicate in clear text.
For more information about clear text information that can be passed in AppManager security level 0, see NetIQ KnowledgeBase article KB71855.
For AppManager security levels 1 and 2, non-FIPS-compliant AppManager components are excluded and unreachable from FIPS-compliant components.
If you do not enable the option Use only FIPS-compliant security algorithms, FIPS-compliant and non-FIPS-compliant AppManager components can coexist under any AppManager security level. For AppManager security levels 1 and 2, FIPS-compliant components communicate with each other using FIPS-compliant algorithms and communicate with non-FIPS-compliant components using proprietary AppManager encryption algorithms.
By default, the Use only FIPS-compliant security algorithms option is not enabled.
The Control Center console option Use only FIPS-compliant security algorithms maps to a QDB flag. When you change the Control Center FIPS-only compliance option, the flag in each QDB you add to Control Center changes.
If you change FIPS-only compliance in Control Center, you must restart each management server that reports to the QDB so that it can read the new FIPS flag state. Otherwise, the management server will not detect the FIPS-only compliance state change and will continue to operate in its previous mode.
If you enable FIPS-only compliance, jobs already active with older agents continue to forward events. If you restart the management server as required, you can no longer create new jobs for older agents. If you do not restart the management server, you can create new jobs for older agents because the management server will not detect the FIPS-only compliance state change in the QDB.