WebSphere® Application Server can be configured to work with various security standards, which are typically used to meet security requirements required by the government.
WebSphere Application Server integrates cryptographic modules, which include Java Secure Socket Extension (JSSE) and Java Cryptography Extension (JCE). Most of the requirements in the standards are handled in the JSSE and JCE, which must undergo the certification process to meet government standards. WebSphere Application Server must be configured to run with the JSSE and JCE enabled for a particular standard.
See The National Institute of Standards and Technology web site for more information about the 140-2 standard.
To configure FIPS 140-2, see the topic "Configuring Federal Information Processing Standard Java Secure Socket Extension files".
See The National Institute of Standards and Technology web site for more details about the SP800-131 standard.
See the topic " Transitioning WebSphere Application Server to the SP800-131 security standard" for information on how to transition WebSphere Application Server to the SP800-131 strict standard. See the topic "Configuring WebSphere Application Server for SP800-131 standard strict mode" for information on how to configure SP800-131.
The following table lists the maximum key sizes that the restricted policy file allows for IBMJCE and IBMJCECCA algorithms. Users who require stronger encryption must use the unrestricted policy file.
Algorithm | Maximum key size in bits |
---|---|
DES | 64 |
DESede | 96 |
RC2 | 128 |
RC4 | 128 |
RC5 | 128 |
RSA | 2048 |
All other algorithms | 128 |
To apply the unrestricted policy files, copy US_export_policy.jar and local_policy.jar from the WAS_HOME/java/J5.0/lib/security directory to the WAS_HOME/java/J5.0/demo/jce/policy-files/unrestricted directory.
See the topic Configuring WebSphere Application Server for the Suite B security standard for information about how to configure Suite B.
The IBM® virtual machine for Java (JVM) runs in a given security mode based on system properties. WebSphere Application Server sets these system properties based on security configuration settings. The security configuration can be set up through the administrative console or through scripting admin tasks. If an application sets these properties directly it can affect WebSphere Application Server SSL communication.
Security standard | System property to enable | Valid values |
---|---|---|
FIPS 140-2 | com.ibm.jsse2.usefipsprovider | true or false |
SP800-131 | com.ibm.jsse2.sp800-131 | transition or strict |
Suite B | com.ibm.jsse2.suiteB | 128 or 192 |
WebSphere Application Server configuration clears out all of these properties if they are set, then sets them to how the security configuration is specified. WebSphere Application Server enables the security standard based on the custom properties set in the security configuration.
Security standard | Security custom properties | JVM system property |
---|---|---|
FIPS 140-2 | com.ibm.security.useFips=true |
com.ibm.jsse2.usefipsprovider=true |
SP800-131- transition | com.ibm.security.useFips=true |
com.ibm.jsse2.sp800-131=transition |
SP800-131 – strict | com.ibm.security.useFips=true |
com.ibm.jsse2.sp800-131=strict |
Suite B 128 | com.ibm.security.useFips=true |
com.ibm.jsse2.suiteB=128 |
Suite B 192 | com.ibm.security.useFips=true |
com.ibm.jsse2.suiteB=192 |