Enabling or disabling FIPS after installing or upgrading

You can easily enable FIPS after completing the installation or upgrade.

To ensure FIPS compliance, all IBM® Workload Scheduler components must meet the following requirements:

All components must be at version 10.2.5 or later.
The certificates must employ at least a robust 2K RSA key and use encryption algorithms different from MD5-RSA and SHA1-RSA.
The key must be in a format where the algorithms are supported by FIPS. For example, avoid the PKCS1 format with the MD5 algorithm or the PKCS8 format with the 3DES algorithm.

FIPS is supported on all supported operating systems with the exception of IBM i operating systems.

When installing, you can encounter one of the following situations:

If certificates do not meet FIPS standards: An error message is displayed stating that the current security configuration does not support FIPS mode and the upgrade stops. To enable FIPS in full mode, proceed to step 1.
If certificates meet FIPS standards: You can install and enable FIPS. Proceed to step 2.

To enable FIPS after completing the installation or upgrade, perform the following steps:

If your current certificates do not meet FIPS standards, replace them with CA-signed certificates, as explained in Replacing Default SSL Certificates with CA signed Customer Certificates.
Check the version of the OpenSSL libraries present in your environment:
- If the system provides OpenSSL version 3.0 or higher, those libraries are automatically used by the product.
- If the system libraries do not meet the version requirement, the product defaults to using the OpenSSL libraries included with IBM Workload Scheduler.
If you are using the OpenSSL libraries provided with the operating system, set the machine in FIPS mode. Note that the specific command to enable this mode may differ depending on your operating system.
On the master domain manager, run the following command to set the environment variables:
```
. ./tws_env.sh
```
On the master domain manager, run the following command to check the encryption level of user passwords in the database and change it from 3DES to AES, if necessary:
```
secure -updatesecurity
```
This command also sets the useAESEncryptionAlgorithm optman option to yes For more information about global options, see Global options - detailed description.
On the master domain manager and backup master domain manager, run the following command to set FIPS in full mode:
```
secure -fips on
```
The master domain manager switches to full FIPS mode after IBM Workload Scheduler processes are restarted. For more information about the secure command, see Optional password encryption - secure script.
On the Dynamic Workload Console, run the following command to set the environment variables:
```
. ./dwc_env.sh
```
On the Dynamic Workload Console, run the following command to set FIPS in full mode:
```
secure -fips on
```
On each agent, run the following command to set the environment variables:
```
. ./tws_env.sh
```
On each agent, run the following command to set FIPS in full mode:
```
secure -fips on
```
Restart all IBM Workload Scheduler processes on the Dynamic Workload Console and agents to make changes to FIPS configuration effective. To prevent communication problems after switching to full FIPS mode, ensure you perform a coordinated restart of the various components.

You have now enabled FIPS in full mode in your environment.

Disabling FIPS after installing or upgrading

You can easily disable FIPS after completing the installation or upgrade.

To disable FIPS after completing the installation or upgrade, perform the following steps:

Set the environment variables on all components.
Run the following command on all components in your environment to disable FIPS:
```
secure -fips off
```
FIPS is disabled after IBM Workload Scheduler processes are restarted.
Restart all IBM Workload Scheduler processes. To prevent communication problems after disabling FIPS, ensure you perform a coordinated restart of the various components.