FIPS compliance with IBM WebSphere Portal
Federal Information Processing Standards (FIPS) are standards and guidelines issued by the United States National Institute of Standards and Technology (NIST) for federal government computer systems. FIPS are developed when there are compelling federal government requirements for standards, such as for security and interoperability, but acceptable industry standards or solutions do not exist.
WebSphere Portal provides toleration for WebSphere Application Server's (WAS) support of FIPS 140-2.
WAS V6.0 and later integrates cryptographic modules such as...
- Java Secure Socket Extension (JSSE)
- Java Cryptography Extension (JCE)
...which are FIPS 140-2 certified.
Throughout the documentation and the product, the FIPS 140-2 certified IBM JSSE and JCE modules are referred to as...
- IBM JSSEFIPS
- IBM JCEFIPS
...which distinguishes the FIPS-certified modules from the prior, non-certified IBM JSSE and IBM JCE modules.
WebSphere Portal toleration of the FIPS 140-2 compliant WAS configuration means that WebSphere Portal will continue to work normally after WAS is configured to activate FIPS 140-2 compliant security modules. The WebSphere Portal product has no self-contained cryptographic support and as a result is unaware of the module differences. Functions in WebSphere Portal that use encryption include:
- Secure Sockets Layer (SSL) connections inbound from clients. This is basically the WAS and HTTP Server support for SSL connections, and is transparent to WebSphere Portal.
- Internal connections between WebSphere Portal administrative functions and WAS administrative services. Invoked, for example, when deploying a portlet which must create a Web application in WAS.
- The connection between the Member Manager component and LDAP, which can be carried over SSL
It is assumed, though not required, that all the connections listed above will be carried over SSL using FIPS-compliant encryption. Without FIPS 140-2 support connections may not be encrypted. And there is no requirement that every connection be SSL, even with FIPS-enabled cryptography over TLS, but again the connection may be unencrypted.
Note that FIPS 140-2 enablement requires HTTP Server and LDAP server versions that provide support for FIPS 140-2.
This section describes how to set up WebSphere Portal to use SSL. You may do these WebSphere Portal setup steps either before or after activating WAS 's FIPS 140-2 support.
To activate SSL in WebSphere Portal...
- Install and configure Portal
- Configure security
- Set up Transport Layer Security (TLS) for the internal HTTP Server in WAS.
Refer to the topic...
Configuring Federal Information Processing Standard Java Secure Socket Extension files...in the WAS Information Center for detailed instructions.
- Optional: If the LDAP server supports TLS with FIPS enabled...
- Set up LDAP over SSL
- Enable TLS FIPS on the LDAP server.
- Optional: Configure the HTTP server to support TLS with FIPS enabled.
Limitations
There are some restrictions in the level of support that WebSphere Portal provides in using FIPS-certified modules:
- Lotus Sametime and Lotus QuickPlace currently do not support FIPS 140-2.
- By default, Microsoft Internet Explorer might not have TLS enabled. To enable TLS, open the Internet Explorer browser and click...
Tools | Internet Options | Advanced tab | Use TLS 1.0 check box
- Netscape V4.7.x and earlier might not support TLS.
- The IBM Tivoli Directory Server provides the...
Use FIPS certified implementation...option, which enables the directory server the FIPS-certified encryption algorithms uses.
For more information, see...
Setting the level of encryption...within the IBM Tivoli Directory Server Administration Guide
- IBM JSSEFIPS is not supported on the HP-UX platform.
- We can only use FIPS-certified JSSE providers if the servers and clients are using WAS Version 6.0 or later.
Related information
Parent Topic
Additional LDAP configuration