Configuring compliance for FIPS 140-2 in Rational DOORS Web Access

You can configure IBM® Rational® DOORS® Web Access to communicate over secure sockets in compliance with Federal Information Processing Standard (FIPS) 140-2 Level 1. That standard defines the security requirements that must be satisfied by a cryptographic module that is used in a security system to protect unclassified information in IT systems.

About this task

Rational DOORS Web Access uses the IBMJSSE2 provider as the Java™ Secure Socket Extension (JSSE) provider. IBMJSSE2 does not need FIPS 140-2 approval because it delegates encryption and signature functions to a Java Cryptography Extension (JCE) provider. Rational DOORS Web Access uses the IBMJCEFIPS provider to encrypt data. IBMJCEFIPS is approved for FIPS 140-2.

Configuring Rational DOORS Web Access to use the IBMJCEFIPS provider involves these steps:
  • Edit the IBM SDK java.security file to include the IBMJCEFIPS and IBMJCE providers and to specify the IBM secure sockets library.
  • Edit the Apache Tomcat startup script file to set the system property that specifies the FIPS 140-2 compliant setting.
  • Edit the Apache Tomcat server configuration file to restrict https communication to protocols and cipher suites that are supported by FIPS 140-2.

Procedure

  1. Open the java.security file in an editor. That file is in the Rational DOORS Web Access installation directory in the OS JRE library; for example,
    C:\Program Files (x86)\IBM\Rational\DOORS Web Access\version\win32\jre\lib\security
  2. In the file, add these entries to the list of providers:
    security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
    security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
  3. Renumber the other providers in the list so that it includes these entries:
    security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
    security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.security.sasl.IBMSASL
    security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.10=org.apache.harmony.security.provider.PolicyProvider
    security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGOE
  4. Save and close the file.
  5. Open the Apache Tomcat startup script file in an editor.
    • On Windows systems, the server.start.bat script file is in the Rational DOORS Web Access installation directory; for example,
      C:\Program Files (x86)\IBM\Rational\DOORS Web Access\version
      Near the bottom of the file, before the cd %CATALINA_HOME%\bin entry, add the set JAVA_OPTS entry for the com.ibm.jsse2.usefipsprovider parameter:
      set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.usefipsprovider=true 
      
      cd %CATALINA_HOME%\bin
      call ".\startup.bat"
    • On UNIX systems, the server.start.sh script file is in the Rational DOORS Web Access installation directory. Before the export JAVA_OPTS entry, add the JAVA_OPTS entry for the com.ibm.jsse2.usefipsprovider parameter:
      JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.usefipsprovider=true"
      
      export JAVA_OPTS
  6. Save and close the file.
  7. Open the Apache Tomcat server.xml file in an editor. That file is in the Rational DOORS Web Access installation in the server/conf directory; for example,
    C:\Program Files (x86)\IBM\Rational\DOORS Web Access\version\server\conf
  8. In the HTTPS connector section, which is described in Configuring Rational DOORS Web Access to use SSL or TLS, set the sslProtocol value to the minimum TLS version; for example:
    sslProtocol="TLS"
    This setting uses the strongest TLS version during communication between the server and a specific client.
  9. Set the cipher suites to further restrict what the server will accept; for example:
    ciphers="SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
        SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
    For a list of supported cipher suites, see "IBM JSSE FIPS Cipher Suites" in the Related information.

What to do next

Configure the browser to send at the least the minimum TLS version that the Apache Tomcat server accepts. Microsoft Internet Explorer might not have TLS enabled. To enable TLS, open Internet Explorer and click Tools > Internet Options. On the Advanced tab, select Use TLS version, where version is the minimum client version that the server accepts.

If you use providers that are approved by FIPS 140-2, ensure that the certificates and keystores include supported algorithms. For a list of supported key and signature algorithms, see "The Java FIPS-approved providers, IBMJSSEFIPS and IBMJCEFIPS."


Feedback