Enabling FIPS at installation time

Quick and easy steps to enable FIPS when installing IBM® Workload Scheduler for the first time.

If you are performing a fresh installation and want to enable FIPS while installing, perform the steps listed below on each component in the IBM Workload Scheduler environment.

To ensure FIPS compliance, all IBM Workload Scheduler components must meet the following requirements:
  • All components must be at version 10.2.5 or later.
  • The certificates must employ at least a robust 2K RSA key and use encryption algorithms different from MD5-RSA and SHA1-RSA.
  • The key must be in a format where the algorithms are supported by FIPS. For example, avoid the PKCS1 format with the MD5 algorithm or the PKCS8 format with the 3DES algorithm.
FIPS is supported on all supported operating systems with the exception of IBM i operating systems.
When installing, you can encounter one of the following situations:
If certificates do not meet FIPS standards
An error message is displayed stating that the current security configuration does not support FIPS mode and the installation stops. To enable FIPS in full mode, proceed to step 1.
If certificates meet FIPS standards
You can install and enable FIPS. Proceed to step 2 onward.
  1. Obtain secure certificates. You can also generate them using the certman generate command. For more information, see Configuring secure communications.
  2. Start the installation on the master domain manager, as described in Installing from the command-line interface, setting the enablefips parameter to true.
  3. The installation completes, setting FIPS in full mode.
  4. Check the version of the OpenSSL libraries present in your environment:
    • If the system provides OpenSSL version 3.0 or higher, those libraries are automatically used by the product.
    • If the system libraries do not meet the version requirement, the product defaults to using the OpenSSL libraries included with IBM Workload Scheduler.
    If you are using the OpenSSL libraries provided with the operating system, set the machine in FIPS mode. Note that the specific command to enable this mode may differ depending on your operating system.
  5. On the master domain manager, run the following commands to set the environment variables and check the security status: 
    . ./tws_env.sh
    secure  -securitystatus
    A message similar to the following is displayed:
    FIPS is enabled on the master domain manager
FIPS is now correctly enabled in full mode on the master domain manager.

Installing the Dynamic Workload Console in FIPS mode

To install the Dynamic Workload Console in FIPS mode, perform the following steps:

  1. Install the Dynamic Workload Console, setting the enablefips parameter to true.
  2. On the Dynamic Workload Console, run the following commands to set the environment variables and check FIPS status: 
    . ./dwc_env.sh
    secure  -securitystatus
    A message similar to the following is displayed:
    FIPS is enabled on the Dynamic Workload Console
FIPS is now correctly enabled in full mode on the Dynamic Workload Console.

Installing agents in FIPS mode

To install the agents in FIPS mode, perform the following steps:

  1. Install the agents, setting the enablefips parameter to true.
  2. On each agent, run the following commands to set the environment variables and check FIPS status: 
    . ./tws_env.sh
    secure -securitystatus
    A message similar to the following is displayed:
    FIPS is enabled on the agent
FIPS is now correctly enabled in full mode on the agents.