CA Security Tuesday Tip: CA Identity Manager - on FIPS Mode in ra.xml

Discussion created by Sagi_Gabay Employee on Feb 2, 2015

The following may not be well explained in the documentation:


ra.xml is the file that's used to hold the connection parameters between Identity Manager and Site Minder. One of these parameters is: FIPS_Mode (where the value can be 'True' or 'False').

Some customers seem to have thought this relates to the Policy Server's FIPS Mode since this file mainly holds info about the policy server.


However, this parameter in fact indicates whether Identity Manager is installed in FIPS Mode or not. Further, based on this value then IDM will know how to decrypt the Password and Shared Secret in this file when connecting with Site Minder. In other words, this parameter is being read by Identity Manager. Based on its value IDM will then use the proper decryption of these other params in order to establish the connection.


If there is a mismatch between this value and the actual encryption of these other params in the file you will see a Agent API -1 error (see below):


[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ServerService

Thread Pool -- 69) IJ000604: Throwable while attempting to get a new

connection: null: javax.resource.spi.EISSystemException: Cannot connect to

policy server: Failed to init Agent API: -1










Sagi Gabay,

CA Technologies.