Network Deployment (Distributed operating systems), v8.0 > Develop and deploying applications > Develop security > Develop extensions to the WebSphere security infrastructure


Configure Federal Information Processing Standard Java Secure Socket Extension files

Use this topic to configure Federal Information Processing Standard Java Secure Socket Extension files. In WAS, the Java Secure Socket Extension (JSSE) provider used is the IBMJSSE2 provider. This provider delegates encryption and signature functions to the Java Cryptography Extension (JCE) provider. Consequently, IBMJSSE2 does not need to be Federal Information Processing Standard (FIPS)-approved because it does not perform cryptography. However, the JCE provider requires FIPS-approval.

WAS provides a FIPS-approved IBMJCEFIPS provider that IBMJSSE2 can utilize. The IBMJCEFIPS provider that is shipped in WAS v8.0 supports the following SSL ciphers:

Even though the IBMJSSEFIPS provider is still present, the runtime does not use this provider. If IBMJSSEFIPS is specified as a contextProvider, WAS automatically defaults to the IBMJSSE2 provider (with the IBMJCEFIPS provider) for supporting FIPS. When enabling the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management panel, the runtime always uses IBMJSSE2, despite the contextProvider that you specify for SSL (IBMJSSE, IBMJSSE2 or IBMJSSEFIPS). Also, because FIPS requires the SSL protocol be TLS, the runtime always uses TLS when FIPS is enabled, regardless of the SSL protocol setting in the SSL repertoire. This simplifies the FIPS configuration in v8.0 because an administrator needs to enable only the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management panel to enable all transports using SSL.


Procedure

  1. Click Security > SSL certificate and key management.

  2. Select the Use the United States Federal Information Processing Standard (FIPS) algorithms option and click Apply. This option makes IBMJSSE2 and IBMJCEFIPS the active providers.
  3. Accommodate Java clients that must access enterprise beans.

    Change the com.ibm.security.useFIPS property value from false to true in the $PROFILE_ROOT/properties/ssl.client.props file.

  4. Ensure that the com.ibm.ssl.protocol property within the $PROFILE_ROOT/properties/ssl.client.props file is set to SSL_TLS.
  5. Ensure that the java.security file includes the provider.

    Edit the java.security file to insert the IBMJCEFIPS provider (com.ibm.crypto.fips.provider.IBMJCEFIPS) before the IBMJCE provider, and also renumber the other providers in the provider list. The IBMJCEFIPS provider must be in the java.security file provider list.

    The java.security file is located in...

    WAS_HOME/java/jre/lib/security/properties

    Edit the java.security file to comment out the line with the IBMJCEFIPS provider and also renumber the rest of the provider list. The IBMJCEFIPS provider must be in the java.security file provider list.

    Edit the java.security file to comment out the line with the IBMJCE provider, uncomment the line with the IBMJCEFIPS provider, and save the file.

    The IBM SDK java.security file looks like the following example after completing this step:

    security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.jsse.IBMJSSEProvider
    security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
     security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
    security.provider.8=com.ibm.security.cmskeystore.CMSProvider
    security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    security.provider.10=com.ibm.security.sasl.IBMSASL
    security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.13=org.apache.harmony.security.provider.PolicyProvider
    

    If you are using the Sun Java SE Development Kit, the java.security file looks like the following example after completing this step:

    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.3=com.ibm.crypto.provider.IBMJCE
    security.provider.4=com.ibm.jsse.IBMJSSEProvider
    security.provider.5=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.6=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.7=com.ibm.security.cert.IBMCertPath
    #security.provider.12=com.ibm.crypto.pkcs11.provider.IBMPKCS11
    security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    security.provider.9=com.ibm.security.cmskeystore.CMSProvider
    security.provider.10=com.ibm.security.sasl.IBMSASL
    security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider
    


What to do next

After completing these steps, a FIPS-approved JSSE or JCE provider offers increased encryption capabilities. However, when you use FIPS-approved providers:

Attention: The following error might occur when you attempt to stop WAS after enabling the FIPS option:

ADMU3007E: Exception com.ibm.websphere.management.exception.ConnectorException
Uncomment the following entry in the java.security file if it was previously removed or commented out, then restart the server:
security.provider.2=com.ibm.crypto.provider.IBMJCE

When enabling FIPS, you cannot configure cryptographic token devices in the SSL repertoires. IBMJSSE2 must use IBMJCEFIPS when utilizing cryptographic services for FIPS.

The following FIPS 140-2 approved cryptographic providers that are the only devices that are supported with the FIPS option:

The relevant certificates are listed on the NIST website: Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List

To unconfigure the FIPS provider, reverse the changes that you made in the previous steps. After you reverse the changes, verify that we have made the following changes to the sas.client.props, soap.client.props, and java.security files:


Develop extensions to the WebSphere security infrastructure


Related


Global security settings
Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List

+

Search Tips   |   Advanced Search