4.7.5 Enable FIPS Mode Using Group Policy

Use this procedure to require all connections to use FIPS (Federal Information Processing Standards) mode. When FIPS mode is enabled, all connections are made using security protocols and algorithms that meet FIPS 140-2 standards. In this mode, some standard connection options are not available. To successfully connect in FIPS mode, your server must support "high-encryption" capabilities.

FIPS mode allows the following security configurations:

  • SSL/TLS connections using TLS 1.0 and TLS 1.2

  • Secure Shell connections using 3DES (168-bit) or AES (128, 192, or 256-bit) encryption and SHA-1 hash

This procedure requires that you first install the administrative template for Extra!. See Administer Features using Windows Group Policy.

To enable FIPS mode via Group Policy

  1. From the command line, run Gpedit.msc.

  2. In Windows Group Policy, under User Configuration, expand Administrative Templates.

  3. Expand Micro Focus and Extra! X-treme, and then double-click Security.

  4. Double-click “Require all connections to use FIPS mode”.

  5. In the dialog box that opens, select Enabled, and then click OK.

  6. Close Group Policy.

Existing sessions that are configured for FIPS mode will continue to work as expected. Existing sessions that aren't configured for FIPS mode will fail to connect. (An error message will appear in the Extra! status log.) When these session files are modified, the connection editor will automatically switch the security type to FIPS mode.

Any new sessions that are created will be limited to connections that support FIPS mode.