Determine if a deployment is FIPS 140-2 approved

A HCL Compass deployment is FIPS 140-2 approved only if all user data is encrypted using FIPS 140-2 approved algorithms.

To determine if all user data is encrypted using FIPS 140-2 approved encryption modules, run the FIPSreport.pl script from the command line. The FIPSreport.pl script audits the configuration of a Compass database at feature level 7 to report users who are not using FIPS 140-2 approved algorithms. Users who are not using FIPS 140-2 approved algorithms are those who use Compass authentication. Users must use LDAP authentication to be FIPS 140-2 approved.

Once you know which users are not approved, you can change each user's authentication mode to LDAP by using the User Administration GUI or by running the setupcqldap.pl script.

The administrator account is a special case. Consider carefully whether you change this account to use LDAP authentication. By allowing the administrator account to continue to use Compass authentication, the administrator can maintain the database regardless of whether the LDAP server is available, or if the LDAP configuration parameters are incorrect during initial setup.

If your internal policies require that the administrator account is LDAP authenticated, you will need to set up two user accounts with Super User privileges. Each account can configure the other one to be LDAP authenticated, but the accounts cannot configure themselves to be LDAP authenticated. This prevents accidental setting of the administrator account to be LDAP authenticated by an automated script.