6.1 Enabling FIPS Mode

PAM offers enhanced protection against security threats and compliance with United States federal government standards by supporting Federal Information Processing Standards (FIPS). PAM leverages the FIPS 140-2 compliant features to meet the security requirements of United States federal agencies and customers with highly secure environments. Enabling FIPS mode in Privileged Account Manager allows the product components such as PAM Manager, PAM Agent, PAM Administration Console, PAM User Console, and target applications to communicate using FIPS 140-2 certified encryption algorithms.

IMPORTANT:

  • You cannot disable FIPS after you have enabled it.

  • When you enable FIPS:

    • FIPS mode is enabled immediately on all the managers that have the registry module.

    • The primary registry manager is enabled first, followed by the other registry managers, and then the associated agents. Automatic re-registration of agents happens once in two days. Therefore, it may take up to two days for FIPS to be enabled automatically on all the agents because FIPS is enabled when agents re-register with a manager.

    • For agents in Offline state, FIPS will be enabled only after the status changes to Online and the agents are re-registered with the manager.

Prerequisites:

  • Ensure that all the packages are upgraded to the latest version on all PAM agents and managers.

  • Enable FIPS on the operating systems hosting the managers and the agents.

    FIPS mode in PAM can be enabled only on Windows and Linux operating systems, for both managers and agents. FIPS mode in PAM is not supported on Unix operating systems. For a complete list of the supported Windows and Linux operating systems, see Privileged Account Manager 3.6 System Requirements.

To enable FIPS:

  1. Enable FIPS on PAM:

    1. Log in to the PAM Administration Console.

    2. Click Hosts > Host Status > Enable.

    3. (Conditional) To enable FIPS immediately on agents, re-register agents manually. For more information about re-registering agents manually, see the Privileged Account Manager Administration Guide.

  2. Enable FIPS on the target machines for the following:

    • (Conditional) RDP relay

    • (Conditional) Credential checkout of applications and databases: Enable FIPS mode on Java that is installed on the system hosting the application.