To enable FIPS 140 mode in a sysplex, you should enable FIPS 140 mode for all the TCP/IP stacks, IKE daemons, and network security services (NSS) daemons on all systems in the sysplex. If the FIPS 140 mode of the distributing TCP/IP stack in the sysplex is different than the FIPS 140 mode of the target TCP/IP stacks, distribution of some of the tunnels across the target TCP/IP stacks might not function as expected.
If the distributor is configured with FIPS 140 support, then all of the tunnels that it activates will adhere to the FIPS 140 restrictions (for example, DES encryption is not allowed). All target TCP/IP stacks can use the distributed tunnels and can process the distributed traffic, regardless of their FIPS 140 mode. The targets that are configured without FIPS 140 support might not adhere to the strict cryptographic module boundaries as defined by FIPS 140, but the Security Association will be successfully activated and used.
If the distributor is not configured with FIPS 140 support, it might activate Security Associations that do not adhere to the FIPS 140 restrictions. The distributor can successfully distribute those associations to target TCP/IP stacks that are not configured in FIPS 140 mode. However, if the distributor distributes those associations to target TCP/IP stacks that are configured in FIPS 140 mode, the data flowing over connections to those stacks is discarded because the associated Security Association or tunnel is not installed.
The distributor and its backup can be configured differently with respect to the FIPS 140 mode. When a backup takes over from a distributor, all the IP security tunnels are renegotiated by the backup. The renegotiated tunnels operate at the FIPS 140 mode that is defined on the backup distributor. This can change the operation of the tunnels as they are distributed by the backup. If the distributor is configured with FIPS 140 support and its backup is not, the backup might activate Security Associations that do not adhere to the FIPS 140 restrictions and distribution of them might fail.
For more information about enabling FIPS 140 mode in a sysplex environment, see Steps for configuring IP security to support FIPS 140 mode.