Enable FIPS Mode Using Group Policy

Use this procedure to require all connections to use FIPS (Federal Information Processing Standards) mode. When FIPS mode is enabled, all connections are made using security protocols and algorithms that meet FIPS 140-2 standards. In this mode, some standard connection options are not available. To successfully connect in FIPS mode, your server must support "high-encryption" capabilities.

FIPS mode allows the following security configurations:

• SSL/TLS connections using 3DES (168-bit) or AES (128-bit) encryption and SHA-1 hash
• Secure Shell connections using 3DES (168-bit) or AES (128, 192, or 256-bit) encryption and SHA-1 hash

To enable FIPS mode via Group Policy

1. From the command line, run Gpedit.msc.
2. Set up the EXTRA! policy template in Windows (First-time use only).

   The first time you set an EXTRA! group policy, you need the EXTRA! policy template. This template (Extra.adm) is included on the installation DVD and the eDelivery image. The Windows Registry retains EXTRA! policy settings so the template is not required for subsequent policy changes.

   1. In Group Policy, under User Configuration, right-click the Administrative Templates container and select Add/Remove Templates.
   2. In the Add/Remove Templates dialog box, click Add and browse to the ADM folder on the root of the EXTRA! DVD or eDelivery files.
   3. Select the Extra.adm file and click Open. Close the Add/Remove Templates dialog box.
3. In Windows Group Policy, under User Configuration, expand Administrative Templates.
4. Expand Attachmate and EXTRA! X-treme, and then double-click Security.
5. Double-click "Require all connections to use FIPS mode".
6. In the dialog box that opens, select Enabled, and then click OK.
7. Close Group Policy.

Existing sessions that are configured for FIPS mode will continue to work as expected. Existing sessions that aren't configured for FIPS mode will fail to connect. (An error message will appear in the EXTRA! status log.) When these session files are modified, the connection editor will automatically switch the security type to FIPS mode.

Any new sessions that are created will be limited to connections that support FIPS mode.