Set up Liberty for FIPS compliance

Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems. We can set up Liberty to comply with FIPS requirements by setting system properties.

For information about FIPS 140-3 support with the IBM SDK, Java Technology Edition 8, see FIPS 140-3 in the IBM SDK documentation.

Important:

Run Liberty in FIPS 140-3 mode is supported for Java SE 8 only and use the IBM SDK for Java 8.0.8.30 or later.

FIPS 140-3 is not yet supported on z/OS.

For Java SE 11 and later, we can run Liberty in FIPS 140-2 mode with IBM Semeru Runtimes.

See Run FIPS-compliant applications on the Open Liberty website.

Federal agencies and other industries rely on cryptography to protect digital information, which is known as data at rest, and communications, which are known as data in motion. FIPS specifies the security requirements that a cryptographic module must satisfy to protect sensitive information. The FIPS certification process requires testing by a NIST-accredited lab and assures users that a specific technology can be used to secure sensitive information. For more information about FIPS, see the National Institute of Standards and Technology.

  1. If our Liberty server is running, stop the Liberty server.

  2. Set the following properties in the jvm.options file. 

      -Dcom.ibm.jsse2.usefipsprovider=true
-Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
-Xenablefips140-3

    In this example, the com.ibm.jsse2.usefipsProviderName property specifies IBMJCEPlusFIPS as the FIPS provider. For more information about system properties in the jvm.options file, see Customize JVM options using jvm.options files.

  3. If we have LTPA keys, delete the ltpa.keys file. The default location of the ltpa.keys file is ${server.output.dir}/resources/security/ltpa.keys.

    If we have LTPA validation keys, delete the LTPA validation keys.

  4. After you set the properties in the jvm.options file, restart the Liberty server to enable FIPS 140-3. A new ltpa.keys file is created when the Liberty server restarts.To create new LTPA keys and LTPA validation keys that use FIPS 140-3 approved algorithms, run the following createLTPAKeys command. 

      securityUtility createLTPAKeys --password=mypassword --passwordEncoding=aes

    For more information about the createLTPAKeys command, see createLTPAKeys.

To enable FIPS 140-2, complete the following steps.

Note:

  • The FIPS 140-2 certification for IBM SDK 8 expired and is no longer compliant with NIST security standards.

  • To maintain compliance and adhere to the latest security requirements, enable FIPS 140-3.

  • For more information about the FIPS 140-2 certification, see IBM JCE FIPS 140-2 Cryptographic Module Security Policy

  • In the jvm.options file, set the correct system properties to enable FIPS mode for the IBMJSSE2 provider.

    For the FIPS140-2 standard, set the com.ibm.jsse2.usefipsprovider system property to true. We must also to set the com.ibm.jsse2.usefipsProviderName property to specify a validated FIPS provider. In the following jvm.options file example, this property specifies IBMJCEPlusFIPS as the FIPS provider: 

      -Dcom.ibm.jsse2.usefipsprovider=true
-Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS

    In the following jvm.options file example, this property specifies IBMJCEFIPS as the FIPS provider since IBMJCEPlusFIPS is not supported.

    See FIPS 140-3: 

      -Dcom.ibm.jsse2.usefipsprovider=true
-Dcom.ibm.jsse2.usefipsProviderName=IBMJCEFIPS
-Djava.security.properties=${server.config.dir}/java.security

    For more information about how to set system properties in the jvm.options file, see Liberty environment variables.

  • Add a Java Cryptography Extension (JCE) FIPS security provider to the provider list in the java.security file.

    The java.security file is located in the ${JAVA_HOME}/jre/lib/security directory. By default, this file does not include a FIPS security provider. Security providers are listed in the file by order of preference, as specified by the security provider number.

    For more information about JCE security provider options, see the IBM SDK, Java Technology Edition 8: Security guide. In the following java.security file example, the com.ibm.jsse2.IBMJSSEProvider2 security provider is specified as the highest priority security provider: 

      security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.3=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.4=com.ibm.crypto.provider.IBMJCE
...

    In the following java.security file example, the com.ibm.jsse2.IBMJSSEProvider2 security provider is specified as the highest priority security provider: 

      security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.4=com.ibm.crypto.fips.provider.IBMJCEFIPS

jdk.tls.disabledAlgorithms=RSASSA-PSS, PSS, RSAPSS, RSA-PSS, RSA_PSS_RSAE_SHA256, RSA_PSS_RSAE, RSA_PSS_SHA256,....

    For this example, add the IBMJCEFIPS provider to your customized ${server.config.dir}/java.security file. Copy the jdk.tls.disabledAlgorithms value from the ${JAVA_HOME}/jre/lib/security/java.security file and append the RSASSA-PSS, PSS, RSAPSS, RSA-PSS, RSA_PSS_RSAE_SHA256, RSA_PSS_RSAE, RSA_PSS_SHA256 values to it.


What to do next

When we use FIPS 140-3, make sure that the LTPA keys created use FIPS 140-3 approved algorithms. For more information about LTPA, see Configure LTPA in Liberty.