Transitioning an SMS server to operate in Full-FIPS mode implements changes to the core elements of the SMS server. The transition:

• Deletes all existing SMS users.
• Removes all SMS backup and device snapshots stored on the SMS server.
• Deletes all custom responder actions.
• Regenerates SSH server and HTTPS web security keys.

The transition process reboots the SMS server and requires you to upload a new SMS key package to the SMS server. Placing the SMS server into one of the FIPS modes does not necessarily mean the SMS server is operating in compliance with FIPS 140-2. In order to operate in compliance with FIPS 140-2, you must place the SMS server into Full-FIPS mode and satisfy the following conditions:

• The external database replication feature cannot be enabled.
• The failed-lockout attempts counter must remain activated for all users.
• The password security level setting for each SMS user should remain at or above level 1.
• To ensure continued FIPS 140-2 compliance during operation, the telnet and HTTP services must be disabled on the SMS.
• It is recommended that the boot device section of the BIOS in the SMS hardware appliance be configured such that the only device configured as a boot device is the main hard drive.

Because security must be tightened while the SMS server is operating in Full-FIPS mode, the following restrictions are in effect:

• Service Mode is no longer available.
• Each time the SMS boots, it will perform a software integrity self-test; if this test fails, the SMS server will not be operational.
• The SSH terminal will only negotiate connections utilizing FIPS 140-2 approved algorithms.
• You are not permitted to restore SMS backups that were created when the SMS was not in Full-FIPS mode.
• The SMS will not be able to communicate with the Identity Agent.
• You cannot import or execute custom Responder Actions. The SMS user password security is restricted to a minimum level of 1.
• The password recovery option is no longer available. In case of a password failure, the SMS must be returned.
• You are not permitted to use custom web security SSL certificates. The SMS hardware appliance must have a BIOS password enabled and set.
• An SMS server operating in Full-FIPS mode cannot be configured as part of an SMS HA cluster; it must operate as a standalone SMS server.
• When in full FIPS mode, importing or exporting a profile to or from another SMS is not supported.
• FIPS mode cannot be enabled if SSH is disabled. Disabling SSH automatically disables FIPS mode.
• When in full FIPS mode, the SMS does not support SSLv2 formatted hello, SSLv3, TLSv1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ciphers.

• vSMS can be configured in "Crypto Only" mode only, "Full-FIPS" mode is unavailable. While vSMS is not FIPS certified, FIPS functionality is supported.

Transitioning a device to operate in Full-FIPS mode implements changes to core elements. The transition:

• Deletes all existing device users.
• Removes all device snapshots stored on the device.
• Regenerates SSH and HTTPS security keys.

Because security must be tightened while the device is operating in Full-FIPS mode, the following restrictions are in effect:

• Snapshots created on devices with Full-FIPS mode enabled are not compatible with other devices that have FIPS mode disabled, or vice versa.
• The SSH terminal will only negotiate connections utilizing FIPS 140-2 approved algorithms.
• You cannot roll back to a previous TOS version if the device is currently in Full-FIPS mode and the previous TOS version was not.
• The password recovery option is no longer available. In case of a password failure, a "Factory Reset" will have to be performed.
• The user password security is restricted to a minimum level of 1.
• Stand-alone devices in Full-FIPS mode require manual installation of an authorized SSL key package that will enable TMC access. Each package is unique to each customer. SMS devices will automatically download the SSL key package, which can then be applied to any FIPS-supporting devices that are managed by the SMS.

Browser Compatibility and FIPS Mode

• If you experience issues when connecting to a device in crypto or Full-FIPS modes, you may need to disable SSL 2 and enable TLS 1.0 in your web browser settings.