Planning for FIPS 140-2

IBM RPA FIPS 140-2 mode introduces changes in the database structure and cryptographic algorithms. These changes result in the following impacts:

• Backwards compatibility is not possible
  IBM RPA version 21.0.0 and below does not have FIPS mode. Once you configure FIPS, older versions won't work anymore.

Download IBM RPA version 21.0.1 or higher to apply the FIPS configuration, otherwise, your environment will stop working. In the IBM RPA on premises offering, you must upgrade both the server and the client.

• You can't revert the changes
  Back up your databases before starting the FIPS transition as a safety measure. Once you start transitioning, you can't revert the changes.
  To revert to a previous state before you enable FIPS, you must do it manually by loading your backup and downgrading IBM RPA to version 21.0.0 or below.

The FIPS 140-2 compliance configuration has three stages: not enabled, transitioning, and enabled. By default, FIPS will be enabled for new customers of IBM RPA version 21.0.1 or up for any edition.

If you are using IBM RPA up to version 21.0.1, FIPS will be disabled by default and you can transition whenever you are ready. If you are using IBM RPA on premises, you must upgrade both their server and clients.

• FIPS mode not enabled
  In this stage, IBM RPA uses the old cryptographic algorithms. You can start the transition stage in the IBM RPA Control Center. See Configuring FIPS in your environment for details.

• FIPS mode Transition
  In this stage, IBM RPA uses both the old cryptographic algorithms for existing data and the new cryptographic algorithms for new or renewed data. You need to resolve the conflicts manually before FIPS mode becomes fully active. The following list defines the affected data you need to change manually to resolve the conflicts:

  • IBM RPA Vault credentials
  • Deprecated in 23.0.3: VNC passwords
  • Credentials
  • Parameter values

  Important: During the transition, you need to change scripts using the following commands and algorithms:

  • Connect to Terminal (terminalConnect)
    Enabling FIPS restricts this command to support only TLS 1.2 connections.

  • Create Rijndael Cipher (cipherRijndael)

  • Create Blowfish Cipher (cipherBlowfish)

  • Create RC2 Encryption (cipherRC2)

  Also, the MDS, RIPMDI6O and CRC32 algorithms are not available in the following commands:

  • Compare Two Files (hashCompare)
  • Calculate Hash (hashCalculate)
  • Check File (hashTest)

• FIPS mode enabled
  In this stage, IBM RPA uses the new cryptographic algorithms and complies with FIPS policies.

  With FIPS enabled, pay attention to the following points:

  • Do not use the Create RSA Cipher (cipherRsa) command. RSA encryption does not comply with FIPS standards. Use the Create AES Cipher (cipherAes) command instead.
  • Do not use tenant credentials. These credentials use asymmetric encryption that do not comply with FIPS standards.
  • When connecting to external services, make sure you use TLS 1.2 or higher. The SSL protocol does not comply with FIPS standards.