Configuring Federal Information Processing Standard Java Secure Socket Extension files

Use this topic to configure Federal Information Processing Standard Java Secure Socket Extension files.

About this task

In WebSphere Application Server, the Java Secure Socket Extension (JSSE) provider used is the IBMJSSE2 provider. This provider delegates encryption and signature functions to the Java Cryptography Extension (JCE) provider. Consequently, IBMJSSE2 does not need to be Federal Information Processing Standard (FIPS)-approved because it does not perform cryptography. However, the JCE provider requires FIPS-approval.
WebSphere Application Server provides a FIPS-approved IBMJCEFIPS provider that IBMJSSE2 can utilize. The IBMJCEFIPS provider that is shipped in WebSphere Application Server Version 6.1 supports the following SSL ciphers:
  • SSL_RSA_WITH_AES_128_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_RSA_WITH_AES_128_CBC_SHA
  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_DSS_WITH_AES_128_CBC_SHA
  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

[Updated in July 2012] WebSphere Application Server automatically defaults to the IBMJSSE2 provider (with the IBMJCEFIPS provider) for supporting FIPS. When enabling the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management panel, the runtime always uses IBMJSSE2, despite the contextProvider that you specify for SSL (IBMJSSE or IBMJSSE2). Also, because FIPS requires the SSL protocol be TLS, the runtime always uses TLS when FIPS is enabled, regardless of the SSL protocol setting in the SSL repertoire. This simplifies the FIPS configuration in Version 6.1 because an administrator needs to enable only the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management panel to enable all transports using SSL. [Updated in July 2012]

jul2012

Procedure

  1. Click Security > SSL certificate and key management.
  2. Select the Use the United States Federal Information Processing Standard (FIPS) algorithms option and click Apply. This option makes IBMJSSE2 and IBMJCEFIPS the active providers.
  3. Accommodate Java clients that must access enterprise beans.

    Change the com.ibm.security.useFIPS property value from false to true in the profile_root/properties/ssl.client.props file.

  4. Ensure that the com.ibm.ssl.protocol property within the profile_root/properties/ssl.client.props file is set to SSL_TLS.
  5. Ensure that the java.security includes the provider.

    Edit the java.security file to insert the IBMJCEFIPS provider (com.ibm.crypto.fips.provider.IBMJCEFIPS) before the IBMJCE provider, and also renumber the other providers in the provider list. The IBMJCEFIPS provider must be in the java.security file provider list.

    [iSeries] The java.security file is located in the profile_root/properties directory.

    [AIX HP-UX Linux Solaris Windows] [z/OS] The java.security file is located in the WASHOME/java/jre/lib/security directory.

    The IBM SDK java.security file looks like the following example after completing this step:[AIX HP-UX Linux Solaris Windows] [z/OS]
    security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.jsse.IBMJSSEProvider
    security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.crypto.pkcs11.provider.IBMPKCS11
    security.provider.8=com.ibm.security.cmskeystore.CMSProvider
    security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    [iSeries]
    security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.jsse.IBMJSSEProvider
    security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.i5os.jsse.JSSEProvider
    #security.provider.8=com.ibm.crypto.pkcs11.provider.IBMPKCS11
    security.provider.9=com.ibm.security.cmskeystore.CMSProvider
    security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    [AIX HP-UX Linux Solaris Windows] [iSeries] If you are using the Oracle JDK, the java.security file looks like the following example after completing this step:
    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    security.provider.5=com.ibm.jsse.IBMJSSEProvider
    security.provider.6=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.7=com.ibm.security.cert.IBMCertPath
    security.provider.8=com.ibm.security.cmskeystore.CMSProvider
    #security.provider.9=com.ibm.crypto.pkcs11.provider.IBMPKCS11
    

    Edit the java.security file to uncomment the line with the IBMJCEFIPS provider and also renumber the rest of the provider list. The IBMJCEFIPS provider must be in the java.security file provider list. The java.security file is located in the WASHOME/java/jre/lib/security directory. To edit the file, complete the following steps:

    [z/OS]
    1. Copy the java.security file to a directory that has write permissions.
    2. Edit the java.security file to comment out the line with the IBMJCE provider, uncomment the line with the IBMJCEFIPS provider, and save the file.

      The IBM Software Development Kit (SDK) java.security file looks like the following example prior to completing this step:

      #security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
      security.provider.1=com.ibm.crypto.provider.IBMJCE
      security.provider.2=com.ibm.jsse.IBMJSSEProvider
      security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
      security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
      security.provider.5=com.ibm.security.cert.IBMCertPath
      security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11
      security.provider.7=com.ibm.security.cmskeystore.CMSProvider
      security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    3. Configure the security.overridePropertiesFile and java.security.properties system properties for each Java Virtual Machine (JVM) in the cell. Add the following property and value pairs:
      Table 1. Custom properties for specifying a new location for the java.security file
      Property name Value
      security.overridePropertiesFile true
      java.security.properties Specify the new location of the java.security file.
      You must specify the previous set of system properties for the deployment manager, the node agent, and other application servers. For the deployment manager, specify this set of system properties for both the control and the servant. For the node agent, specify this set of system properties for the control. For all application servers, specify this set of system properties for the adjunct, control, and servant. For example, complete the following steps to specify these system properties for the control on an application server:
      1. In the administrative console, click Servers > Application servers > server_name.
      2. Under Server infrastructure, click Java and Process Management > Process Definition > Control.
      3. Under Additional properties, click Java Virtual Machine > Custom properties.
      4. Enter the properties as two sets of name and value pairs.
      5. Click Save.

What to do next

After completing these steps, a FIPS-approved JSSE or JCE provider offers increased encryption capabilities. However, when you use FIPS-approved providers:
[AIX HP-UX Linux Solaris Windows] Attention: The following error might occur when you attempt to stop WebSphere Application Server after enabling the FIPS option:
ADMU3007E: Exception com.ibm.websphere.management.exception.ConnectorException
Uncomment the following entry in the java.security file if it was previously removed or commented out, then restart the server:
security.provider.2=com.ibm.crypto.provider.IBMJCE
The java.security file is located in the WAS_HOME/java/jre/lib/security directory.
Note: When enabling FIPS, you cannot configure cryptographic token devices in the SSL repertoires. IBMJSSE2 must use IBMJCEFIPS when utilizing cryptographic services for FIPS.
The following FIPS 140-2 approved cryptographic providers that are the only devices that are supported with the FIPS option:
  • IBMJCEFIPS (certificate 376)
  • IBM Cryptography for C (ICC) (certificate 384)
The relevant certificates are listed on the NIST Web site: Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List
To unconfigure the FIPS provider, reverse the changes that you made in the previous steps. After you reverse the changes, verify that you have made the following changes to the sas.client.props, soap.client.props, and java.security files:
  • In the ssl.client.props file, you must change the com.ibm.security.useFIPS value to false.
  • [AIX HP-UX Linux Solaris Windows] [z/OS] In the java.security file, you must change the FIPS provider to a non-FIPS provider.
    If you are using the IBM SDK java.security file, you must change the first provider to a non-FIPS provider as shown in the following example:
    #security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.1=com.ibm.crypto.provider.IBMJCE
    security.provider.2=com.ibm.jsse.IBMJSSEProvider
    security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.5=com.ibm.security.cert.IBMCertPath
    #security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11
    If you are using the Oracle JDK java.security file, you must change the third provider to a non-FIPS provider as shown in the following example:
    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    security.provider.5=com.ibm.jsse.IBMJSSEProvider
    security.provider.6=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.7=com.ibm.security.cert.IBMCertPath
    #security.provider.8=com.ibm.crypto.pkcs11.provider.IBMPKCS11
    
  • [iSeries] Edit the java.security file to remove the FIPS provider and renumber the providers as in the following example:
    security.provider.1=sun.security.provider.Sun
    #security.provider.2=com.ibm.crypto.provider.IBMJCEFIPS
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.jsse.IBMJSSEProvider
    security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.i5os.jsse.JSSEProvider
    #security.provider.8=com.ibm.crypto.pkcs11.provider.IBMPKCS11
    security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 2:56:59 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=tsec_fips
File name: tsec_fips.html