Technical Notes

How to Enable FIPS in Reflection 2008 or 2007
Technical Note 2216
Last Reviewed 13-Nov-2008
Applies To
Reflection for UNIX and OpenVMS 2008
Reflection for IBM 2008
Reflection Standard Suite 2008
Reflection for IBM 2007
Summary

Follow the steps in this technical note to enable FIPS (Federal Information Processing Standards) mode in Reflection 2008 or 2007.

For general information about FIPS mode, see http://www.attachmate.com/docs/reflection/2007/R1/Guide/6499.htm.

Note: To successfully connect in FIPS mode, your server must support "high-encryption" capabilities.

Step 1 – Download and Copy the ReflectionPolicy.adm File

Download and unzip the Reflection policy template:

1. From the Attachmate Download Library, download the file ReflectionPolicy.zip.
2. Unzip the file to \%systemroot%\inf folder (for example, C:\Windows\inf\).

Step 2 – Install the Group Policy

To use this policy, the Reflection policy template must first be added to your Windows Group Policy editor by adding the ReflectionPolicy.adm file to the editor.

1. Run Gpedit.msc from the command line, or open the properties for an Organizational Unit in the Active Directory Users and Computers console, click the Group Policy tab, and edit or create a new policy object.
2. Expand the User Configuration tree.
3. Right-click the Administrative Templates container and select Add/Remove Templates.
4. In the Add/Remove Templates dialog box, click Add and browse to the \%systemroot%\inf folder (for example, “C:\Windows\inf”).
5. Select the ReflectionPolicy.adm file. Open the template, and then close the Add/Remove Templates dialog box.

Step 3 – Configure FIPS-Only Mode

Once you have added the template, use it to configure the policy.

1. In the Group Policy Object Editor, under User Configuration, expand the Administrative Templates. Expand Classic Administrative Templates (ADM).
2. Click the Reflection Settings tree and, in the right pane, double-click "Allow non-FIPS mode."
3. On the Setting tab, select Disabled, and then click OK.

Note: Do not change other Reflection policies included in the template.

Step 4 – Configure Reflection Security Settings

Follow these steps to configure Reflection for UNIX and OpenVMS 2008:

1. Open a terminal session and click the document settings button.
2. Click Configure Connection Settings.
3. Under Network Connection Type, select Secure Shell.
4. Under Connection Options, enter a host name.
5. Click Security.
6. On the Encryption tab, select the "Run in FIPS mode" check box.
7. Click OK.

Follow these steps to configure Reflection for IBM 2008 or 2007:

1. In the Reflection Workspace, open or create a document.
2. On the Session ribbon, click the Host setup icon.

3. In the left pane, click Configure Advanced Connection Settings (in Reflection 2008) or Configure Advanced 3270 or 5250 Settings (in Reflection 2007).
4. Jump to (or scroll to) Security and click the Security Settings button.
5. In the Security Properties dialog box on the SSL/TLS tab, select the "Use SSL/TLS security" check box.
6. Verify that TLS Version 1.0 (the default) is the SSL/TLS version selected.
7. Click OK.

Troubleshooting Tips

The following error may display if you configure the FIPS-only mode policy, but do not configure the Reflection for IBM 2008 or 2007 security settings:

Figure 1. The selected operation/feature is not available in FIPS mode.

The following error may display if your host does not support high-encryption:

Figure 2. Reflection SSL/TLS could not establish an encrypted connection.

Related Technical Notes

2211	Technical Notes for Reflection for IBM 2007
9985	Technical Notes for Reflection 2008