Enabling FIPS mode for Web Admin connections ensures that only FIPS validated cryptographic algorithms are available. To enable or disable FIPS mode for Web Admin on new installations and upgrades from 2024.0 or earlier, complete the procedures detailed below.

Note: MOVEit Automation 2024.1 updated OpenSSL to version 3.3.2 with the 3.0.9 FIPS provider. This update impacts how OpenSSL gets ciphers and encryption algorithms used to connect to Web Admin. If you have enabled FIPS mode for Web Admin in an earlier version, after upgrade you must complete the steps below to continue to work with FIPS mode enabled.
If upgrading a system where Web Admin FIPS-mode is already enabled to MOVEit Automation 2024.1 or later, to ensure that Web Admin FIPS-mode continues to function, make note of the following points:
  • You must complete the enable Web Admin FIPS-mode procedure to satisfy additional requirements. If the additional requirements are not completed, you will encounter a site inaccessible browser error.
  • The Web Admin service may fail to stop. To resolve this issue, terminate the tomcat9.exe process.
  • If you do not update the SSL/TLS certificate to one with a minimum key length of 2048, you will get an error similar to this:
    ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Tip: <HOME> refers to the MOVEit Automation directory that is created during installation. For example, C:\Program Files\MOVEit\

Prerequisite

The Web Admin SSL/TLS certificate key length must be at least 2048. For information about updating your SSL/TLS certificate, see Update the MOVEit Automation Web Admin SSL/TLS Certificate.
Note: MOVEit Automation autogenerated certificates during installation for version 2024.1 and later have a key length of 2048. Earlier versions, up to and including version 2024.0 had a key length of 1024. If you upgrade to 2024.1 or later, you must manually update the Web Admin SSL/TLS certificate.

To enable Web Admin FIPS-mode on new installs and upgrades (2024.1 and later)

  1. Stop MOVEit Automation Web Admin using Windows services.
  2. Navigate to the <HOME>\MOVEit Automation Web Admin\Tomcat\conf directory.
  3. Open the server.xml in a text editor as an administrator.
    Note: To open the server.xml file as an administrator, open the text editor as an administrator and then open the server.xml file in the text editor.
  4. Edit the FIPSMode value to on:
    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="on"
  5. Navigate to the <HOME>\MOVEit Automation Web Admin\Tomcat\bin directory.
  6. Open an administrator command prompt window in this folder and run the following command:
    openssl.exe fipsinstall -module "<HOME>\MOVEit Automation Web Admin\Tomcat\bin\fips.dll" -out "<HOME>\MOVEit Automation Web Admin\Tomcat\conf\fipsmodule.cnf"

    This creates a fipsmodule.cnf file in the Tomcat\conf directory.

  7. To ensure that Tomcat is pointing to the required OpenSSL FIPS mode files, choose from the following options to set the correct environment variables:
    1. To set the environment variables universally, in the administrator command prompt window opened in step 6, run the following commands:
      • SETX OPENSSL_MODULES /M "<HOME>\MOVEit Automation Web Admin\Tomcat\bin"
      • SETX OPENSSL_CONF /M "<HOME>\MOVEit Automation Web Admin\Tomcat\conf\openssl.cnf"
    2. To set the environment variables to apply to this service alone, in the administrator command prompt window opened in step 6, run the following command:
      • tomcat9.exe //US/MICAdmin ++Environment OPENSSL_MODULES="<HOME>\MOVEit Automation Web Admin\Tomcat\bin";OPENSSL_CONF="<HOME>\MOVEit Automation Web Admin\Tomcat\conf\openssl.cnf"
      Note: When updating the environment variables, you must not include a space after the semi-colon ;. Doing so will cause the process to silently fail.

      You must use absolute paths, relative paths will result in a failure.

      You might see a permissions warning, which you can ignore.

  8. Start MOVEit Automation Web Admin using Windows services.

To disable Web Admin FIPS-mode (2024.1 and later)

  1. Stop MOVEit Automation Web Admin using Windows services.
  2. Open the server.xml in a text editor as an administrator.
  3. Edit the FIPSMode value to off:
    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="off"
  4. Choose from the following options to delete the environment variables depending on how the variables were created:
    1. If SETX was used to create the environment variables, delete the variables manually from the Windows environment.
    2. If the tomcat9.exe command was used to create the environment variables, open and administrator command prompt window in the Tomcat\conf directory and run the following command:
      tomcat9.exe //US/MICAdmin --Environment ""

      You might see a permissions warning, which you can ignore.

  5. Start MOVEit Automation Web Admin using Windows services.
Note: The environment variables must be removed to disable FIPS mode.