enable_fips_tls

Edit online

This API enables FIPS 140-2 compatibility and disables TLS 1.3 on a stand-alone machine, a central manager, or a central manager and all associated managed units on a GuardiumĀ® 12.0 and 12.1 appliance.

Note: This API has been deprecated for Guardium 12.2 appliances since the FIPS 140-3 compatibility of version 12.2 supports both TLS 1.3 and TLS 1.2. The command will actually result in an error for 12.2 appliances. 
localhost.youcompany.com> grdapi enable_fips_tls all=0 force=0
This function disables communications protocol (TLS v1.3) to become FIPS compliant. Please run this command to disable TLSv1.3 before enabling FIPS mode.
Gathering Information. This could take several minutes depending on how many managed units are registered to the central manager.
Warning: Running this command may cause one or more of your appliances in your environment to lose communications after restart.
enable_fips_tls:
ERR=1001
Execution aborted.
Enabling or disabling FIPS mode no longer requires changes to TLS

In some circumstances, you must disable TLS 1.3 before you can enable FIPS 140 mode for Guardium 12.0 and 12.1.

Before version 12.0, Guardium supported TLS 1.0, 1.1, and 1.2. With the introduction of version 12.0, Guardium supports TLS 1.2 and TLS 1.3. In all cases, Guardium supports the FIPS 140 protocol. However, in some cases, you must disable TLS 1.3 to enable FIPS 140 support.

Specifically, you might run into this issue if you upgrade your central manager to Guardium 12.x, but the managed units remain at pre-12.x releases. In this case, run enable_fips_tls on your central manager to disable TLS 1.3 and help ensure that Guardium supports the FIPS 140 protocol. For more information, see Managing the TLS version.

Note: After you disable TLS 1.3, you need to enable FIPS mode and then reboot your server. There are two ways to enable FIPS mode.
  • Run the fipsmode API. Guardium suggests that you set restart = 1 to automatically restart your system.
  • Run the store system fipsmode CLI command and then manually restart your system.

This API runs only on a central manager or stand-alone machine.

This API is only available in Guardium 12.0 and 12.1.

GuardAPI syntax

enable_fips_tls parameter=value

Parameters

Parameter Value type Description
all Boolean Required. Specify whether to disable TLS 1.3 on all associated managed units or only on the current unit. Valid values:
  • 0 - Disable TLS 1.3 on the current unit only.
  • 1 - Disable TLS 1.3 on the current central manager (or stand-alone machine) and all associated managed units.

Default = 0 (false)
force Boolean Valid values:
  • 0 - Do not disable TLS 1.3 if the central manager and managed units are running different Guardium versions.
  • 1 - Disable TLS 1.3 even if there are differences between Guardium versions on the central manager and its associated managed units.

Default = 0 (false)
api_target_host String

Specifies the target hosts where the API executes. Valid values:
  • all_managed: execute on all managed units but not the central manager
  • all: execute on all managed units and the central manager
  • group:<group name>: execute on all managed units identified by <group name>
  • host name or IP address of a managed unit: specified from the central manager to execute on a managed unit.  For example, api_target_host=10.0.1.123.
  • host name or IP address of the central manager: specified from a managed unit to execute on the central manager. For example, api_target_host=10.0.1.123.

IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode.