Enabling or disabling FIPS at upgrade time

Quick and easy steps to enable FIPS when upgrading from an environment where FIPS was not enabled.

If you are upgrading from an environment where FIPS was not enabled, and want to enable it while upgrading, perform the steps listed below on each component in the IBM® Workload Scheduler environment.

To ensure FIPS compliance, all IBM Workload Scheduler components must meet the following requirements:
  • All components must be at version 10.2.5 or later.
  • The certificates must employ at least a robust 2K RSA key and use encryption algorithms different from MD5-RSA and SHA1-RSA.
  • The key must be in a format where the algorithms are supported by FIPS. For example, avoid the PKCS1 format with the MD5 algorithm or the PKCS8 format with the 3DES algorithm.
FIPS is supported on all supported operating systems with the exception of IBM i operating systems.
Note: If your current environment is running any versions between 10.2.2 and 10.2.4, FIPS is disabled by default.
When upgrading, you can encounter one of the following situations:
If certificates do not meet FIPS standards
An error message is displayed stating that the current security configuration does not support FIPS mode and the upgrade stops. To enable FIPS, proceed to step 1.
If certificates meet FIPS standards
You can upgrade and enable FIPS. Proceed to step 2.

Perform the following steps in the specified order:

  1. If your current certificates do not meet FIPS standards, replace them with CA-signed certificates, as explained in Replacing Default SSL Certificates with CA signed Customer Certificates.
  2. On the master domain manager, start the upgrade as described in Upgrading from the CLI, setting the enablefips parameter to true.
  3. The upgrade completes, enabling FIPS in weak mode. When in weak mode, the upgraded master domain manager can communicate with back-level components, ensuring business continuity.
  4. Check the version of the OpenSSL libraries present in your environment:
    • If the system provides OpenSSL version 3.0 or higher, those libraries are automatically used by the product.
    • If the system libraries do not meet the version requirement, the product defaults to using the OpenSSL libraries included with IBM Workload Scheduler.
    If you are using the OpenSSL libraries provided with the operating system, set the machine in FIPS mode. Note that the specific command to enable this mode may differ depending on your operating system.
  5. On the master domain manager, run the following command to set the environment variables: 
    . ./tws_env.sh
  6. On the master domain manager, run the following command to verify the security status: 
    secure -checksecurity
    A message similar to the following is displayed:
    FIPS configuration updated in weak mode. To enable full FIPS mode, 
update the master domain manager and all backup master domain managers to the 
current release. Then, run the secure -updatesecurity command on master domain manager.
    As stated in the message, before you set up FIPS in full mode on the master domain manager, it is necessary to upgrade all components in your environment to version 10.2.5 or later.
  7. Upgrade the remaining server components (backup master domain manager, dynamic domain manager, backup dynamic domain manager) if any, as described in Upgrading from the CLI, setting the enablefips parameter to true.
  8. Upgrade the Dynamic Workload Console, setting the enablefips parameter to true.
  9. Upgrade the agents, setting the enablefips parameter to true.
  10. On the master domain manager, run the following command to check the encryption level of user passwords in the database and change it from 3DES to AES, if necessary: 
    secure -updatesecurity
    This command also sets the useAESEncryptionAlgorithm optman option to yes For more information about global options, see Global options - detailed description.
  11. On the master domain manager, run the following command to update the encryption of user passwords on the Symphony file deployed in your environment: 
    JnextPlan -for 0000 -noremove
  12. On the master domain manager and backup master domain manager, run the following command to set FIPS in full mode: 
    secure -fips on
    The master domain manager switches to full FIPS mode after IBM Workload Scheduler processes are restarted. For more information about the secure command, see Optional password encryption - secure script.
  13. Restart the master domain manager and backup master domain manager to make the switch to full FIPS mode effective. To avoid service interruptions, use the following command: 
    switchmgr domain;newmgr
    For more information, see Switching a domain manager.
  14. On the Dynamic Workload Console, run the following command to set the environment variables: 
    . ./dwc_env.sh
  15. On the Dynamic Workload Console, run the following command to set FIPS in full mode: 
    secure -fips on
  16. On each agent, run the following command to set the environment variables: 
    . ./tws_env.sh
  17. On each agent, run the following command to set FIPS in full mode: 
    secure -fips on
  18. Optionally run the following command to check FIPS status: 
    secure  -securitystatus
    A message similar to the following is displayed:
    FIPS is enabled on the agent
  19. Restart all IBM Workload Scheduler processes on the Dynamic Workload Console and agents to make changes to FIPS configuration effective. To prevent communication problems after switching to full FIPS mode, ensure you perform a coordinated restart of the various components.
FIPS is now correctly enabled in full mode in your environment.
Note: After fully enabling FIPS mode, failures may occur in Composer and Conman. If this happens, delete and recreate the useropts for the user performing the operation. This issue typically arises when you perform a direct upgrade or when Symphony encryption was previously disabled.

Disabling FIPS at upgrade time

FIPS mode is currently enabled in your source environment. You plan to upgrade to version 10.2.6 and disable FIPS during the upgrade process.
To ensure FIPS compliance, all IBM Workload Scheduler components must meet the following requirements:
  • All components must be at version 10.2.5 or later.
  • The certificates must employ at least a robust 2K RSA key and use encryption algorithms different from MD5-RSA and SHA1-RSA.
  • The key must be in a format where the algorithms are supported by FIPS. For example, avoid the PKCS1 format with the MD5 algorithm or the PKCS8 format with the 3DES algorithm.
FIPS is supported on all supported operating systems with the exception of IBM i operating systems.

However, certificates in the source environment may not meet the security standards of FIPS 140-3, even if FIPS mode is currently enabled in the source environment.

If certificates are not secure by FIPS standard, the upgrade stops. To proceed with the upgrade, you can either obtain secure certificates, as described in Upgrading from a FIPS-enabled environment, or, if FIPS compliance is not required, you can restart the upgrade setting the enablefips parameter to false when upgrading each component.

After you have upgraded all components setting the enablefips parameter to false, FIPS is disabled in your upgraded environment.