Enabling FIPS

Federal Information Processing Standards (FIPS) are standards and guidelines issued by the National Institute of Standards and Technology (NIST) for federal government computer systems. The standards are developed when there are compelling federal government requirements for standards, such as for security and interoperability, but acceptable industry standards or solutions do not exist. Government agencies and financial institutions use these standards to ensure that products conform to specified security requirements.

To learn more about FIPS compliance, see Planning for FIPS.

In IBM RPA on premises, you can enable FIPS compliance at any moment, even after installing the server. For a fully compliant system, you must enable FIPS encryption in both the server and the clients' operating systems. The database connection strings must also be changed to enable encryption to conform with the standards.

To run IBM RPA on a FIPS compliant system, see the following sections.

Windows

On FIPS-compliant environments, both client and server operating systems must enable FIPS policies.

To enable FIPS policies on Windows™, follow these steps:

  1. On the Windows Start menu, open Local Security Policy.
  2. Expand the Local Policies options and double-click Security Options.
  3. Search for the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing option and double-click it to open the settings.
  4. Select Enabled.
  5. Click Apply and OK to close the window.

You must also ensure that all of your machines (client and server) only allow connections using TLS 1.2 and above:

  1. On the Windows Start menu, open Internet Options.
  2. Go to the Advanced tab.
  3. Enable the TLS 1.2 and TLS 1.3 options.
  4. Ensure that TLS 1.1, TLS 1.0, and SSL 3.0 are not enabled.
  5. Click Apply and OK to close the window.
  6. Restart the computer to apply the changes.

SQL Server

To install a FIPS-compliant version of SQL Server, follow the steps described in Use SQL Server 2016 and later versions in FIPS 140-2-compliant mode 🡥 and Configure SQL Server Database Engine for encrypting connections 🡥.

When you install the IBM RPA server, you must input the Connection strings to the databases. You can also change the connection strings after the installation in the IBM RPA Control Center, in the Database configuration page. For a FIPS-compliant system, the connection strings must be the following:

Server=<SERVER_ADDRESS>;Database=AUTOMATION;User Id=<USERNAME>;Password=<PASSWORD>;Encrypt=True;
Server=<SERVER_ADDRESS>;Database=KNOWLEDGE;User Id=<USERNAME>;Password=<PASSWORD>;Encrypt=True;
Server=<SERVER_ADDRESS>;Database=WORDNET;User Id=<USERNAME>;Password=<PASSWORD>;Encrypt=True;MultipleActiveResultSets=True;
Server=<SERVER_ADDRESS>;Database=AUDIT;User Id=<USERNAME>;Password=<PASSWORD>;Encrypt=True;
Server=<SERVER_ADDRESS>;Database=ADDRESS;User Id=<USERNAME>;Password=<PASSWORD>;Encrypt=True;

If you plan to enable Single Sign-On (SSO), you must add a connection string to the UMS database:

Server=<SERVER_ADDRESS>;Database=UMS;User Id=<USERNAME>;Password=<PASSWORD>;

UMS can connect to the encrypted connection with the SQL Server without additional parameters, and it also acepts self-signed certificates. To enforce the usage of certificates, follow Step 2: Configure encryption settings in SQL Server 🡥.

If you use a self-signed certificate, add the following parameter to the connection strings:

TrustServerCertificate=True;
Important:Self-signed certificates are invalid according to FIPS standards. Use a certificate that meets FIPS standards for a FIPS-compliant environment.

Configuring your tenants for FIPS compliance

See Configuring FIPS 140-2 in your tenant to configure your tenants for FIPS compliance.

What to do next?

Proceed to Install the server.