cancel
Showing results for 
Search instead for 
Did you mean: 
awbattelle
Level 11

Can we install FIPS during an upgrade?

Jump to solution

Can I install FIPS "setup.exe ENABLEFIPSMODE=1" as an upgrade say from EPO 4.6.1 to 4.6.5 ?  Our security dept recently reguired us to deploy encryption in FIPS mode, however, our EPO servers were not installed with FIPS.  We really don't want to build another server, so can we simply add FIPS mode during an upgrade?

Thanks

0 Kudos
1 Solution

Accepted Solutions
awbattelle
Level 11

Re: Can we install FIPS during an upgrade?

Jump to solution

CannotConvert.png

OK, I tried it, and I get a message that says "This ePolicy Orchestrator server cannot be converted to FIPS mode"

So, I am wondering now how to migrate 4000+ EPO clients to a new FIPS enabled EPO server.

Any thoughts?

Message was edited by: awbattelle on 2/19/13 2:12:52 PM CST
0 Kudos
10 Replies
SafeBoot
Level 21

Re: Can we install FIPS during an upgrade?

Jump to solution

are you asking about switching modes within EPO? If so I'll move your question to the EPO section of the forums.

0 Kudos
Timmah
Level 11

Re: Can we install FIPS during an upgrade?

Jump to solution

As a wild guess, I would say "no"... anything previously generated using the non-FIPS crypto is going to make any upgrade also non-FIPS in terms of compliancy.

Cheers,

Tim

0 Kudos
awbattelle
Level 11

Re: Can we install FIPS during an upgrade?

Jump to solution

We haven't encrypted anything yet. We only have AV and firewall clients installed.  So, we haven't generated any crypto certificates. We just don't want o have to tear down the server and install from scratch.

Message was edited by: awbattelle on 2/19/13 11:06:11 AM CST

Message was edited by: awbattelle on 2/19/13 11:07:36 AM CST
0 Kudos
Timmah
Level 11

Re: Can we install FIPS during an upgrade?

Jump to solution

I'm not so sure... will definitely be curious to see the answer to this one! Again, I'm only guessing, but I know that ePO creates keys upon install that're used to secure communications between the Agent Handlers (amongst other things!). Just one example of where this idea might tumble.

Cheers,

Tim

0 Kudos
awbattelle
Level 11

Re: Can we install FIPS during an upgrade?

Jump to solution

So, it is possible we might lose communication to existing AV (EPO) agents. I am hoping the setting only affects the Encryption agent certificates.. I am going to try it on our dev server.

0 Kudos
Timmah
Level 11

Re: Can we install FIPS during an upgrade?

Jump to solution

It's possible. I'm thinking it's more a compliance issue, rather than a functional one. If you have keys generated with non-FIPS, and upgrade to FIPS, you're not FIPS compliant, so it raises the question "why bother?".

For EEPC, we install in either FIPS or non-FIPS, and that's that. We disallow attempts to upgrade from non-FIPS to FIPS, but allow upgrades from FIPS to non-FIPS. In theory though, the crypto would work regardless of which mode it's in.

Cheers,

Tim

0 Kudos
alexn
Level 14

Re: Can we install FIPS during an upgrade?

Jump to solution

My openion, it requires fresh install in FIPS mode, upgrade is not compatiable.

0 Kudos
awbattelle
Level 11

Re: Can we install FIPS during an upgrade?

Jump to solution

So, we are going to upgrade our Dev EPO server frpm EPO Version 4.61 to EPO+FIPS 4.65. There are currently no encrypted PCs on the system. We will then see if if EPO loses communication with any existing EPO agents on systems running the AV product.

If the existing clients are OK, we will then install encryption on some test systems with the FIPS switch turned on. If they encrypt, we will verify they are FIPS complient.

I will post the results of the tests here.

Thanks for everyone's input.

0 Kudos
awbattelle
Level 11

Re: Can we install FIPS during an upgrade?

Jump to solution

CannotConvert.png

OK, I tried it, and I get a message that says "This ePolicy Orchestrator server cannot be converted to FIPS mode"

So, I am wondering now how to migrate 4000+ EPO clients to a new FIPS enabled EPO server.

Any thoughts?

Message was edited by: awbattelle on 2/19/13 2:12:52 PM CST
0 Kudos