Configuring compliance for FIPS 140-2 in Rational DOORS Web Access

You can configure Rational® DOORS® Web Access to communicate over secure sockets in compliance with Federal Information Processing Standard (FIPS) 140-2 Level 1. That standard defines the security requirements that must be satisfied by a cryptographic module that is used in a security system to protect unclassified information in IT systems.

About this task

Rational DOORS Web Access uses the IBMJSSE2 provider as the Java™ Secure Socket Extension (JSSE) provider. IBMJSSE2 does not need FIPS 140-2 approval because it delegates encryption and signature functions to a Java Cryptography Extension (JCE) provider. Rational DOORS Web Access uses the IBMJCEFIPS provider to encrypt data. IBMJCEFIPS is approved for FIPS 140-2.

To configure Rational DOORS Web Access to use the IBMJCEFIPS provider:
  • Edit the IBM® SDK java.security file to include the IBMJCEFIPS and IBMJCE providers and to specify the IBM secure sockets library.
  • Edit the Apache Tomcat startup script file to set the system property that specifies the FIPS 140-2 compliant setting.
  • Edit the Apache Tomcat server configuration file to restrict https communication to protocols and cipher suites that are supported by FIPS 140-2.

Procedure

  1. Open the java.security file in an editor. That file is located in the Rational DOORS Web Access installation directory in the OS JRE library; for example,
    C:\Program Files (x86)\IBM\Rational\DOORS Web Access\1.5.0.1\win32\ibm-java-i386-60\jre\lib\security
  2. In the file, add these entries to the list of providers:
    security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
    security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
  3. Renumber the other providers in the list, so that it includes these entries:
    security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
    security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.security.sasl.IBMSASL
    security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.10=org.apache.harmony.security.provider.PolicyProvider
    security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGOE
  4. Remove the comment tags (#) from these SocketFactory and ServerSocketFactory entries, and then specify the secure sockets libraries:
    ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
    ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
  5. Save and close the file.
  6. Open the Apache Tomcat startup script file in an editor.
    • On Windows systems, the server.start.bat script file is in the Rational DOORS Web Access installation directory; for example,
      C:\Program Files (x86)\IBM\Rational\DOORS Web Access\1.5.0.1
      Near the bottom of the file, before the cd %CATALINA_HOME%\bin entry, add the set JAVA_OPTS entry. Then, make sure that the entries are shown as follows:
      set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.usefipsprovider=true 
      
      cd %CATALINA_HOME%\bin
      call ".\startup.bat"
    • On UNIX systems, the server.start.sh script file is in the Rational DOORS Web Access installation directory. Before the export JAVA_OPTS entry, add the JAVA_OPTS entry. Then, make sure that the entries are shown as follows:
      JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.usefipsprovider=true 
      
      export JAVA_OPTS
  7. Save and close the file.
  8. Open the Apache Tomcat server.xml file in an editor. That file is in the Rational DOORS Web Access installation in the server/conf directory; for example,
    C:\Program Files (x86)\IBM\Rational\DOORS Web Access\1.5.0.1\server\conf
  9. Set the sslProtocol value to the minimum TLS version; for example:
    sslProtocol="TLS"
    This setting uses the strongest TLS version during communication between the server and a specific client.
  10. Set the cipher suites to FIPS 140-2 compliant ciphers; for example:
    ciphers="SSL_RSA_WITH_AES_256_CBC_SHA"
    For a list of supported cipher suites, see "IBM JSSE FIPS Cipher Suites" in the related information links below.

What to do next

Configure the browser to send at the least the minimum TLS version that the Apache Tomcat server accepts. Microsoft Internet Explorer might not have TLS enabled. To enable TLS, open Internet Explorer and click Tools > Internet Options. On the Advanced tab, select the Use TLS version option, where the TLS version is the minimum client version that the server accepts.

If you use providers that are approved by FIPS 140-2, ensure that the certificates and keystores include supported algorithms. For a list of supported key and signature algorithms, see "The Java FIPS-approved providers, IBMJSSEFIPS and IBMJCEFIPS."


Feedback