You must have administrator privileges to change FIPS mode using the External Security Administration Manager (ESAM) utility, POLMAN.

Enable FIPS mode

Use POLMAN to enable FIPS mode and access the underlying cryptographic modules. Once FIPS mode is enabled the ESAM policy directs OpenEdge to use only FIPS cryptographic module. To run this utility, you must be in a Proenv command prompt window and have policy administrator authorization.

Enable FIPS mode:

FIPS mode is enabled when can-run-without = no. For example:
polman set -policy urn:esam:fips140:can-run-without -value no

Where:

  • set -policy—Updates a policy.
  • urn—Identifies the URN of a policy.
  • policy-evaluator—Identifies the component that provides the policy evaluation. FIPS uses esam.
  • fips140—Identifies a group of FIPS 140 related policies.
  • can-run-without—Identifies a specific policy within the group.
  • -value no—Enables the FIPS mode policy.
Note: The policy name can-run-without may be confusing due to its negative phrasing. When set to no, it means that OpenEdge cannot run without the FIPS cryptographic module — in other words, FIPS mode is enabled. Conversely, setting it to yes means OpenEdge can run without the FIPS module, and FIPS mode is disabled.
For more information on the policy manager, see POLMAN.

Disable FIPS mode

FIPS mode is disabled when can-run-without = yes.

polman set -policy urn:esam:fips140:can-run-without -value yes

Where:

  • set -policy—Updates a policy.
  • urn—Identifies the URN of a policy.
  • policy-evaluator—Identifies the component that provides the policy evaluation. FIPS uses esam.
  • fips140—Identifies a group of FIPS 140 related policies.
  • can-run-without—Identifies a specific policy within the group.
  • -value no—Enables the FIPS mode policy.

For more information on the policy manager, see POLMAN.