Configure FIPS JSSE files



The Federal Information Processing Standard (FIPS)-approved Java Secure Socket Extension (JSSE) provider has increased data encryption capabilities. FIPS-approved JSEE providers support Data Encryption Standard (DES) or Triple DES with at least 56-bits of encryption. Although this additional encryption capability is available, use Transport Layer Security (TLS) and not SSL as FIPS-approved JSSE files are not backwards-compatible and SSL is not FIPS-approved. If the server uses TLS, a client using SSL cannot communicate with the server. Thus, use FIPS-approved JSSE providers if your servers and clients are using WebSphere Application Server, V5.0.2 or later as this version supports FIPS.

The IBMJSSEFIPS and IBMJCEFIPS underwent FIPS 140-2 certification.

If you create your own encryption configurations and enable FIPS, add a FIPS-approved JSSE to all of your server and client configurations.

Although WAS supports the IBM FIPS Standard-approved Java Secure Socket Extension (IBMJSSEFIPS), IBMJSSEFIPS is not supported on the HP-UX platform.

To configure the WAS to use IBMJSSEFIPS and IBMJCEFIPS providers, complete the following steps using the administrative console:

  1. Click...

    Security | Global Security

  2. Select the Use FIPS check box and click OK. IBMJCEFIPS is enabled. However, IBMJSSEFIPS is not configured until you complete the remaining steps.

  3. Click...

    Security | SSL

  4. Click the name of your SSL configuration or click New to create a new configuration.

  5. Select High from the Security Level menu.This action sets the encryption strength to 56-bits and higher.

  6. Indicate which JSSE FIPS provider to use.Do one of the following actions:

    • Select IBMJSSEFIPS from the Provider menu and select Predefined JSSE provider. For a list of providers that were previously configured, click Custom Properties under Additional Properties.

    • Type the name of your custom JSSE FIPS provider and select Custom JSSE provider. To create a custom JSSE FIPS provider, click...

      Custom Properties | New

      After configuring your custom FIPS-approved provider, return to the SSL Configuration Repertoires panel for your SSL configuration and enter the name in the Provider field.

  7. Select the TLS or TLSV1 option from the Protocol menu.To use a FIPS-approved JSSE, choose either the TLS or TLSV1 option. SSL protocol is not FIPS-approved. After you select the protocol, the corresponding custom property value is updated for You can view this updated property value under Custom Properties after you click Apply or OK.

  8. Click OK.

  9. If you have a Java client that must access enterprise beans, modify the install_dir>/properties/sas.client.props file to comment out the SSL protocol and add the Transport Layer Security (TLS) protocol. To change the protocol to TLS, edit...

    install_dir>/properties/sas.client.props file:

    ...and make the following changes...

  10. If the server uses a FIPS-approved provider for the CSIv2/SAS protocol, add IBMJSSEFIPS as the contextProvider and TLS as the protocol to the file...


    ...on the application client, add the following information...

  11. If the server-side SOAP connector configuration uses a FIPS-approved IBMJSSEFIPS provider, add as the provider and IBMJSSEFIPS as the contextProvider in the install_dir/properties/soap.client.props file on the administrative client. In...

    install_dir/properties/soap.client.props file

    ...add the following information:

  12. Verify that a FIPS-approved configuration is specified correctly throughout the administrative console. Verify the configuration settings in the following panels:

    • Click...

      Servers | Application Servers | server | Administration Services | JMX Connectors | SOAPConnector | Custom Properties | sslConfig

    • Click...

      Servers | Application Servers | server | Web Container | HTTP Transport

    • Click...

      Environment | Virtual Hosts | host_name | Host Aliases | <alias_name>

    • Click...

      Applications | Enterprise Applications | application_name | Map virtual hosts for web modules

    • Click...

      Security | User Registries | LDAP

    • Click Enterprise Applications > application_name. Under Related Items, click Web Module > URI_file_name > Web Services: Client Security Bindings. Verify the configuration settings listed under HTTP Basic Authentication and HTTP SSL Authentication.



After completing these steps, a FIPS-approved JSSE provides increased encryption capabilities. However, when you use FIPS-approved providers, consider the following points:

If you select USE FIPS on the Global Security panel and select an SSL configuration on the SSL Configuration Repertoires panel, the following error message is displayed at the top of the Global Security panel:

The security policy is set to use only FIPS-approved cryptographic
algorithms. However at least one SSL configuration may not be using a 
FIPS-approved JSSE provider. FIPS-approved cryptographic algorithms 
may not be used in those cases.

If you use the FIPS-approved JSSE provided with WAS, choose IBMJSSEFIPS from the Provider menu on the SSL Configuration Repertoires panel. Otherwise, the following message is displayed at the top of the panel:

"Use FIPS" is enabled, but the SSL provider is not IBMJSSEFIPS. 
FIPS approved cryptographic algorithms may not be used.

Related tasks
Configuring Secure Sockets Layer
Related reference
Global security settings
Related topics
Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List