Configuring FIPS 140-2 in your tenant

This procedure details how to enable FIPS 140-2 mode in your tenant.

Before you begin

You can apply this procedure to all IBM RPA offerings.

Important:You can't revert the changes made during this procedure. See Planning for FIPS to plan before enabling FIPS.

The following list shows the prerequisites before applying this procedure:

  • Download and install IBM RPA version 21.0.1 or above. Upgrade both the server and the client.
  • Notify all users from your environments about the transition. Be aware that users may need to act during the transition stage to satisfy the requirements to enable FIPS.
  • Back up your databases as a safety measure.

The FIPS configuration has three stages:

  • Off
    Default stage for current IBM RPA users. In this stage, IBM RPA uses the old cryptography algorithms.

  • Transition
    When transitioning to FIPS compliance, IBM RPA uses both the old cryptographic algorithms for existing data and the new cryptographic algorithms for new or renewed data. In this stage, you need to resolve conflicts manually by reinserting the data so the new cryptography algorithm can encrypt the data.
    You can't revert the changes after starting this procedure.

  • On
    Default stage for new IBM RPA users. In this stage, IBM RPA uses the new cryptography algorithms. When transitioning, you need to resolve all conflicts before FIPS becomes active.

Procedure

Starting the transition

  1. Log in to the IBM RPA Control Center.
  2. Click Tenants > Tenant configuration > FIPS.
  3. Read the instructions and check that you understand the impact of these changes.
  4. Click Begin FIPS configuration.

Transitioning

You must resolve the conflicts in the following requirements to enable FIPS mode:

  • Reset user vault credentials
    You need to reset or delete user vault credentials. Note you can update all user vault credentials by resetting the IBM RPA Vault master password for each user. See the reset user vault credentials procedure in Managing users for details. For information about user vault credentials, see IBM RPA Vault credentials.

  • Reset user VNC passwords
    You need to reset or delete user VCN passwords. For details, see Computers.
    Starting from IBM RPA 23.0.3, Virtual Network Computing (VNC) password field in computers is deprecated. For more information, see Deprecated.

  • Reset user credentials
    You need to reset or delete user credentials. For details, see Credentials.

  • Reset parameter values
    You need to reset or delete parameter values. For details, see Parameters.

  • Bot Agent upgrade
    You need to upgrade the Bot Agent. To do this, you need to download and install IBM RPA version 21.0.1 or up. For the on-premises offering, you need to upgrade the server and the clients. Refer to Upgrading for details on how to upgrade IBM RPA.

During the transition, you must change IBM RPA scripts using the following commands and algorithms:

  • Connect to Terminal (terminalConnect)
    Enabling FIPS restricts this command to support only TLS connections.
  • Create Rijndael Cipher (cipherRijndael)
  • Create Blowfish Cipher (cipherBlowfish)
  • Create RC2 Encryption (cipherRC2)

Also, MDS, RIPMDI6O and CRC32 algorithm options are not available anymore in the following commands:

Note:Click Export Requirements List to download a comma-separated value (CSV) file with all the conflicts you need to resolve.

After complying with all the requirements, click Turn FIPS mode on to enable FIPS.

Results

After starting the FIPS mode procedure, you can't revert the changes. Any new data added to your environment will use the new cryptography algorithms for encryption.

The FIPS menu is removed from the IBM RPA Control Center interface after enabling FIPS. You can find FIPS status on Tenants > Tenant configuration > General Settings.