enable_fips_tls
The API disables TLS 1.3 on a standalone machine, a central manager, or a central manager and all associated managed units. Under some circumstances, for Guardium 12.0 or later, you must disable TLS 1.3 before you can enable FIPS 140 mode.
Before Guardium 12.0, Guardium supported TLS 1.0, 1.1, and 1.2. With the introduction of Guardium 12.0, Guardium supports TLS 1.2 and TLS 1.3. In all cases, Guardium supports the FIPS 140 protocol. However, in some cases, you must disable TLS 1.3 to enable FIPS 140 support.
Specifically, you might run into this issue if you upgrade your central manager to Guardium 12.x, but the managed units remain at pre-12.x releases. In this case, run enable_fips_tls on your central manager to disable TLS 1.3 and help ensure that Guardium supports the FIPS 140 protocol. For more information, see Managing the TLS version.
- Run the fipsmode API. Guardium suggests that you set restart = 1 to automatically restart your system.
- Run the store system fipsmode CLI command and then manually restart your system.
This API runs only on a central manager or standalone machine.
This API is available in Guardium v12.0 and later.
GuardAPI syntax
enable_fips_tls parameter=value
Parameters
Parameter | Value type | Description |
---|---|---|
all | Boolean | Required. Specify whether to disable TLS 1.3 on all associated managed units or only on
the current unit. Valid values:
Default = 0 (false) |
force | Boolean | Valid values:
Default = 0 (false) |
api_target_host | String |
Specifies the target hosts where the API executes. Valid values:
IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode. |