62
Chapter 3
Configure for FIPS 140-2 Compliance.
If your system is already con
fi
gured to be FIPS 140-2
compliant prior to installation, the installation process will not let you deselect the
Con
fi
gure for
FIPS 140-2 Compliance
option. If you no do not want the installed applications to be FIPS 140-2
compliant, you must manually set a Windows System cryptography setting to
disabled
:
3. From the Windows Control panel, select:
Administrative Tools > Local Security Policy > Local Policies (located in the left panel) > Security
Options (located in the left panel) > System cryptography: Use FIPS compliant algorithms... (located
in the right panel)
4. Double-click the
System cryptography: Use FIPS compliant algorithms...
policy and select
Disabled
.
For new installations, the SHA-1 hash function algorithm is used regardless of whether or not
Con
fi
gure for FIPS 140-2 Compliance
is enabled; for upgrade installations, the following
rules apply:
If FIPS 140-2 is enabled, all existing user information from the previous version is upgraded
in the following steps:
– The original, encrypted user passwords are archived to a setup log
fi
le.
– New user passwords are randomly assigned and saved to a setup
log
fi
le. The log
fi
le is located at:
C:\Program Files\Common
Files\IBM\SPSS\DataCollection\6\\Installer\NewPassword.log
Interviewer Server
Administration administrators can supply users these new, temporary passwords in a manner
that is in accordance with their business practices.
– The
MustChangePasswordAtNextLogin
setting is enabled, which forces users to change
their passwords at next login.
When upgrading on a server that is currently not con
fi
gured for FIPS 140-2, you are presented
with the option to reset user passwords:
– If you choose to reset user passwords, the SHA-1 hash function algorithm is employed.
– If you choose to not reset user passwords, the server will continue to use the MD5 hash
function algorithm.
Keep the following points in mind when modifying an existing installation:
– When changing
Con
fi
gure for FIPS 140-2 Compliance
from enabled to disabled, the
SHA-1 hash function algorithm will continue to be employed.
– When changing
Con
fi
gure for FIPS 140-2 Compliance
from disabled to enabled, the
parameters outlined in the
fi
rst bullet point are employed.
Refer to the
National Institute of Standards and Technology
(
http://csrc.nist.gov/groups/STM/cmvp/standards.html#02
)
website for more information
regarding FIPS 140-2.
Notes
: When FIPS 140-2 is con
fi
gured for IBM SPSS Data Collection products, the applications
adhere to the password protection security protocols that are de
fi
ned on the Interviewer Server.
For example, if the Interviewer Server is con
fi
gured for MD5 security, the client-side applications
will also use MD5 security for password protection, regardless of whether or not the
Con
fi
gure for
FIPS 140-2 Compliance
setting was selected during installation.