Configuring Federal Information Processing Standard Java Secure Socket Extension files

Use this topic to configure Federal Information Processing Standard Java Secure Socket Extension files.

About this task

In WebSphere Application Server, the Java Secure Socket Extension (JSSE) provider used is the IBMJSSE2 provider. This provider delegates encryption and signature functions to the Java Cryptography Extension (JCE) provider. Consequently, IBMJSSE2 does not need to be Federal Information Processing Standard (FIPS)-approved because it does not perform cryptography. However, the JCE provider requires FIPS-approval.
WebSphere Application Server provides a FIPS-approved IBMJCEFIPS provider that IBMJSSE2 can utilize. The IBMJCEFIPS provider that is shipped in WebSphere Application Server Version 6 supports the following Secure Sockets Layer (SSL) ciphers:
  • SSL_RSA_WITH_AES_128_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_RSA_WITH_AES_128_CBC_SHA
  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_DSS_WITH_AES_128_CBC_SHA
  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Even though the IBMJSSEFIPS provider is still present, the runtime does not use this provider. If IBMJSSEFIPS is specified as a contextProvider, WebSphere Application Server automatically defaults to the IBMJSSE2 provider (with the IBMJCEFIPS provider) for supporting FIPS in Version 6. When enabling FIPS in the server Global security panel, the runtime always uses IBMJSSE2, despite the contextProvider that you specify for SSL (IBMJSSE, IBMJSSE2 or IBMJSSEFIPS). Also, because FIPS requires the SSL protocol to be TLS, the runtime always uses Transport Layer Security (TLS) when FIPS is enabled, regardless of the SSL protocol setting in the SSL repertoire. This simplifies the FIPS configuration in Version 6 because an administrator needs to enable only the FIPS flag in the Global security panel to enable all transports using SSL.

Procedure

  1. Click Security > Global Security.
  2. Select the Use the Federal Information Processing Standard (FIPS) option and click OK. This option makes IBMJSSE2 and IBMJCEFIPS the active providers.
  3. Accommodate Java clients that must access enterprise beans.

    Change the com.ibm.security.useFIPS property value from false to true in the profile_root/properties/sas.client.props file.

  4. Ensure that the com.ibm.ssl.protocol property within the profile_root/properties/ssl.client.props file is set to SSL_TLS.
  5. Accommodate administrative clients that use the SOAP connector.
    Modify the profile_root/properties/soap.client.props file. Set the following property:
    #com.ibm.ssl.contextProvider=IBMJSSE2
    com.ibm.ssl.contextProvider=IBMJSSEFIPS
    
    You are using an administrative client if you use the startServer.sh or stopServer.sh commands instead of the administrative console to start and stop the server.
    Note: Specifying IBMJSSEFIPS indicates that the client wants to be in FIPS mode, and the runtime uses the IBMJSSE2 provider in combination with the IBMJCEFIPS provider.
  6. Ensure that the java.security includes the provider.

    Edit the java.security file to insert the IBMJCEFIPS provider (com.ibm.crypto.fips.provider.IBMJCEFIPS) before the IBMJCE provider, and also renumber the other providers in the provider list. The IBMJCEFIPS provider must be in the java.security file provider list.

    The java.security file is located in the profile_root directory.

    The IBM SDK java.security file looks like the following example after completing this step:
    security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.jsse.IBMJSSEProvider
    security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    #security.provider.7=com.ibm.crypto.pkcs11.provider.IBMPKCS11
    
    If you are using the Sun JDK, the java.security file looks like the following example after completing this step:
    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    security.provider.5=com.ibm.jsse.IBMJSSEProvider
    security.provider.6=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.7=com.ibm.security.cert.IBMCertPath
    security.provider.8=com.ibm.security.cmskeystore.CMSProvider
    #security.provider.9=com.ibm.crypto.pkcs11.provider.IBMPKCS11
    

What to do next

After completing these steps, a FIPS-approved JSSE or JCE provider offers increased encryption capabilities. However, when you use FIPS-approved providers:
Note: When enabling FIPS, you cannot configure cryptographic token devices in the SSL repertoires. IBMJSSE2 must use IBMJCEFIPS when utilizing cryptographic services for FIPS.
The following FIPS 140-2 approved cryptographic providers that are the only devices that are supported with the FIPS option:
  • IBMJCEFIPS (certificate 376)
  • IBMJSSEFIPS (certificate 409)
  • IBM Cryptography for C (ICC) (certificate 384)
The relevant certificates are listed on the NIST Web site: Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List
To unconfigure the FIPS provider, reverse the changes that you made in the previous steps. After you reverse the changes, verify that you have made the following changes to the sas.client.props, soap.client.props, and java.security files:
  • In the sas.client.props file, you must change the com.ibm.security.useFIPS value to false.
  • In the soap.client.props file, you must uncomment the com.ibm.ssl.contextProvider=IBMJSSE2 property and comment out the com.ibm.ssl.contextProvider=IBMJSSEFIPS property. These changes are shown in the following example:
    com.ibm.ssl.contextProvider=IBMJSSE2
    #com.ibm.ssl.contextProvider=IBMJSSEFIPS
    
  • In the java.security file, you must change the FIPS provider to a non-FIPS provider.
    If you are using the IBM SDK java.security file, you must change the first provider to a non-FIPS provider as shown in the following example:
    #security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.1=com.ibm.crypto.provider.IBMJCE
    security.provider.2=com.ibm.jsse.IBMJSSEProvider
    security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.5=com.ibm.security.cert.IBMCertPath
    #security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11
    If you are using the Sun JDK java.security file, you must change the third provider to a non-FIPS provider as shown in the following example:
    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    security.provider.5=com.ibm.jsse.IBMJSSEProvider
    security.provider.6=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.7=com.ibm.security.cert.IBMCertPath
    #security.provider.8=com.ibm.crypto.pkcs11.provider.IBMPKCS11
    



In this information ...


Related reference

IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 9:00:59 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-dist&topic=tsec_fips
File name: tsec_fips.html