Set FIPS JSSE files

Use this topic to configure FIPS JSSE files.

In WAS, the JSSE provider used is the IBMJSSE2 provider. This provider delegates encryption and signature functions to the JCE provider. Consequently, IBMJSSE2 does not need to be FIPS-approved because it does not perform cryptography. However, the JCE provider requires FIPS-approval.WAS provides a FIPS-approved IBMJCEFIPS provider that IBMJSSE2 can utilize. The IBMJCEFIPS provider that is shipped in WAS V7.0 supports the following SSL ciphers:

• SSL_RSA_WITH_AES_128_CBC_SHA

• SSL_RSA_WITH_3DES_EDE_CBC_SHA

• SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

• SSL_DHE_RSA_WITH_AES_128_CBC_SHA

• SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

• SSL_DHE_DSS_WITH_AES_128_CBC_SHA

• SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Even though the IBMJSSEFIPS provider is still present, the runtime does not use this provider. If IBMJSSEFIPS is specified as a contextProvider, WAS automatically defaults to the IBMJSSE2 provider (with the IBMJCEFIPS provider) for supporting FIPS. When enabling the Use the United States FIPS algorithms option on the server SSL certificate and key management panel, the runtime always uses IBMJSSE2, despite the contextProvider specified for SSL (IBMJSSE, IBMJSSE2 or IBMJSSEFIPS). Also, because FIPS requires the SSL protocol be TLS, the runtime always uses TLS when FIPS is enabled, regardless of the SSL protocol setting in the SSL repertoire. This simplifies the FIPS configuration in V7.0 because an administrator needs to enable only the Use the United States FIPS algorithms option on the server SSL certificate and key management panel to enable all transports using SSL.

 

1. Click Security > SSL certificate and key management.

2. Select the Use the United States FIPS algorithms option and click Apply.

   This option makes IBMJSSE2 and IBMJCEFIPS the active providers.

3. Accommodate Java clients that must access enterprise beans.

   Change the com.ibm.security.useFIPS property value from false to true in the $WP_PROFILE/properties/ssl.client.props file.

4. Verify the java.security includes the provider.

   Edit the java.security file to insert the IBMJCEFIPS provider (com.ibm.crypto.fips.provider.IBMJCEFIPS) before the IBMJCE provider, and also renumber the other providers in the provider list. The IBMJCEFIPS provider must be in the java.security file provider list.

   The java.security file is located in...

   WASHOME/java/jre/lib/security

   The IBM SDK java.security file looks like the following example after completing this step:

   security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.jsse.IBMJSSEProvider security.provider.4=com.ibm.jsse2.IBMJSSEProvider2 security.provider.5=com.ibm.security.jgss.IBMJGSSProvider security.provider.6=com.ibm.security.cert.IBMCertPath security.provider.7=com.ibm.crypto.pkcs11.provider.IBMPKCS11 security.provider.8=com.ibm.security.cmskeystore.CMSProvider security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
   

   If using the Sun Java SE Development Kit, the java.security file looks like the following example after completing this step:

   security.provider.1=sun.security.provider.Sun security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.jsse.IBMJSSEProvider security.provider.5=com.ibm.jsse2.IBMJSSEProvider2 security.provider.6=com.ibm.security.jgss.IBMJGSSProvider security.provider.7=com.ibm.security.cert.IBMCertPath security.provider.8=com.ibm.i5os.jsse.JSSEProvider
   #security.provider.8=com.ibm.crypto.pkcs11.provider.IBMPKCS11 security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
   
   

 

Next steps

After completing these steps, a FIPS-approved JSSE or JCE provider offers increased encryption capabilities. However, when you use FIPS-approved providers:

• By default, Microsoft Internet Explorer might not have TLS enabled. To enable TLS, open the Internet Explorer browser and click Tools > Internet Options. On the Advanced tab, select the Use TLS 1.0 option.

  Netscape V4.7.x and earlier versions might not support TLS.

• IBM Directory Server V5.1 (and earlier versions) do not support TLS.

• If we have an admin client that uses a SOAP connector and you enable FIPS, add the following line to the $WP_PROFILE/properties/soap.client.props file:

  com.ibm.ssl.contextProvider=IBMJSSEFIPS
  
  

• When you select the Use the FIPS option on the SSL certificate and key management panel, the LTPA token format is not backwards-compatible with previous releases of WAS. However, we can import the LTPA keys from a previous version of the appserver.

The following error might occur when you attempt to stop WAS after enabling the FIPS option:

ADMU3007E: Exception com.ibm.websphere.management.exception.ConnectorException

Uncomment the following entry in the java.security file if it was previously removed or commented out, then restart the server:

security.provider.2=com.ibm.crypto.provider.IBMJCE

The java.security file is located in...

WAS_HOME/java/jre/lib/security

When enabling FIPS, we cannot configure cryptographic token devices in the SSL repertoires. IBMJSSE2 must use IBMJCEFIPS when utilizing cryptographic services for FIPS.

The following FIPS 140-2 approved cryptographic providers that are the only devices that are supported with the FIPS option:

• IBMJCEFIPS (certificate 376)

• IBM Cryptography for C (ICC) (certificate 384)

The relevant certificates are listed on the NIST Web site: Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List To unconfigure the FIPS provider, reverse the changes that you made in the previous steps. After you reverse the changes, verify that we have made the following changes to the sas.client.props, soap.client.props, and java.security files:

• In the ssl.client.props file, change the com.ibm.security.useFIPS value to false.

• In the java.security file, change the FIPS provider to a non-FIPS provider.If we are using the IBM SDK java.security file, change the first provider to a non-FIPS provider as shown in the following example:

  #security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.1=com.ibm.crypto.provider.IBMJCE security.provider.2=com.ibm.jsse.IBMJSSEProvider security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath
  #security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11
  

  If we are using the Sun JDK java.security file, change the third provider to a non-FIPS provider as shown in the following example:

  security.provider.1=sun.security.provider.Sun security.provider.2=com.ibm.security.jgss.IBMJGSSProvider security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.4=com.ibm.crypto.provider.IBMJCE security.provider.5=com.ibm.jsse.IBMJSSEProvider security.provider.6=com.ibm.jsse2.IBMJSSEProvider2 security.provider.7=com.ibm.security.cert.IBMCertPath
  #security.provider.8=com.ibm.crypto.pkcs11.provider.IBMPKCS11
  
  

 

Related tasks

Develop extensions to the WebSphere security infrastructure

 

Related

Global security settings

 

Related information

Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List