Enabling FIPS compliance over IBM Z Workload Scheduler server SSL secured connection

Federal Information Processing Standard Security Requirements for Cryptographic Modules, referred to as FIPS 140-2, is a standard published by the National Institute of Standards and Technology (NIST). Organizations can require compliance to the FIPS 140-2 standard to provide protection for sensitive or valuable data to cryptographic-based security systems.

System SSL was designed to meet the Federal Information Processing Standard - FIPS 140-2 Level 1 criteria.

System SSL can run in either "FIPS mode" or "non-FIPS mode". By default, System SSL runs in "non-FIPS" mode.

IBM Z Workload Scheduler uses the System SSL configuration. To run IBM Z Workload Scheduler in "FIPS mode", you must enable FIPS compliance over System SSL connections.

To enable SSL authentication for your end-to-end with fault-tolerance capabilities network, you must perform the following actions:

Ensure that FIPS-compliance over an SSL connection is enabled on the controller as described in http://publib.boulder.ibm.com/infocenter/zos/v1r12/topic/com.ibm.zos.r12.gska100/fipss.htm#fipss.
On the controller, set ENABLEFIPS to YES in the TOPOLOGY statement.
On the distributed agent, ensure that:
- SSL is configured, as described in Using FIPS certificates
- FIPS compliance is enabled as described in Configuring FIPS compliance

Note: IBM Z Workload Scheduler relies upon System TSL to automatically enable the TLSV1_2 protocol. Alternatively, you can export the related environment variable (GSK_PROTOCOL_TLSV1_2) by specifying the following statements in the server started task:

PARM='ENVAR("_CEE_ENVFILE:DD=STDENV")': For details, see Configuring TLS to connect with the IBM Z Workload Scheduler server
//STDENV DD card: For details, see Configuring TLS to connect with the IBM Z Workload Scheduler server

If you enable FIPS, the STDENV DD card settings are ignored.