WAS security standards configurations

WAS can be configured to work with various security standards, which are typically used to meet security requirements required by the government.

New feature: WAS integrates cryptographic modules, which include Java Secure Socket Extension (JSSE) and Java Cryptography Extension (JCE). Most of the requirements in the standards are handled in the JSSE and JCE, which must undergo the certification process to meet government standards. WebSphere Application Server must be configured to run with the JSSE and JCE enabled for a particular standard, and now supports...

• FIPS 140-2

  Specify requirements on cryptographic modules. WAS has been able to configure using this standard the longest. Many users can be configured to use this level, but might be required to move up to the newer SP800-131 or Suite B standard.

• SP800-131

  Requirement originated by the National Institute of Standards and Technology (NIST), which requires longer key lengths and stronger cryptography. The specification also provides a transition configuration to enable users to move to a strict enforcement of SP800-131. The transition configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP800-131. SP800-131 can be run in two modes, transition and strict.

  Strict enforcement of SP800-131 requirements on WebSphere Application server includes the following requirements:

  1. The use of the TLSv1.2 protocol for the SSL context.
  2. Certificates must have a minimum length of 2048. Elliptical Curve (EC) certificate require a minimum size of 244-bit curves.
  3. Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid signatureAlgorithms include the following signatures:
     • SHA256withRSA
     • SHA384withRSA
     • SHA512withRSA
     • SHA256withECDSA
     • SHA384withECDSA
     • SHA512withECDSA

  4. SP800-131 approved Cipher suites

• Suite B

  Requirement originated by the National Security Agency (NSA) to specify a cryptographic interoperability strategy. This standard is similar to SP800-131 with some tighter restrictions. Suite B can run in two modes: 128-bit or 192-bit. The restricted policy file provides encryption for the 128-bit mode, and it is applied by default. If we are using 192-bit mode, you must apply the unrestricted policy file to the JDK so that the stronger cipher required for the 192-bit mode can be used.

  The following table lists the maximum key sizes that the restricted policy file allows for IBMJCE and IBMJCECCA algorithms. Users who require stronger encryption must use the unrestricted policy file.

  Algorithm	Maximum key size in bits
  DES	64
  DESede	96
  RC2	128
  RC4	128
  RC5	128
  RSA	2048
  All other algorithms	128

  To apply the unrestricted policy files, copy the US_export_policy.jar and the local_policy.jar files from...

  WAS_HOME/java/J5.0/lib/security

  ...to...

  WAS_HOME/java/J5.0/demo/jce/policy-files/unrestricted

  Suite B requirements on WebSphere Application Server include:

  • The use of the TLSv1.2 protocol for the SSL Context
  • Suite B approved Cipher suites
  • Certificates:
    • 128 bit mode certificates must be signed with SHA256withECDSA
    • 192 bit mode certificates must be signed with SHA384withECDSA
  • Ciphers:
    • SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Properties used to enable the Security Standards

The IBM JVM runs in a given security mode based on system properties. WebSphere Application Server sets these system properties based on security configuration settings. The security configuration can be set up through the console or through scripting admin tasks. If an application sets these properties directly, it can affect WebSphere Application Server SSL communication.

Security standard	System property to enable	Valid values
FIPS 140-2	com.ibm.jsse2.usefipsprovider	true or false
SP800-131	com.ibm.jsse2.sp800-131	transition or strict
Suite B	com.ibm.jsse2.suiteB	128 or 192

WebSphere Application Server configuration clears out all of these properties if they are set, then sets them to how the security configuration is specified. WebSphere Application Server enables the security standard based on the custom properties set in the security configuration.

WAS security custom properties to enable the security standard

Security standard	Security custom properties	JVM system property
FIPS 140-2	com.ibm.security.useFips=true com.ibm.websphere.security.FIPSLevel=FIPS140-2	com.ibm.jsse2.usefipsprovider=true
SP800-131- transition	com.ibm.security.useFips=true com.ibm.websphere.security.FIPSLevel=transition	com.ibm.jsse2.sp800-131=transition
SP800-131 strict	com.ibm.security.useFips=true com.ibm.websphere.security.FIPSLevel=SP800-131	com.ibm.jsse2.sp800-131=strict
Suite B 128	com.ibm.security.useFips=true com.ibm.websphere.security.suiteB=128	com.ibm.jsse2.suiteB=128
Suite B 192	com.ibm.security.useFips=true com.ibm.websphere.security.suiteB=192	com.ibm.jsse2.suiteB=192

Subtopics

• Convert certificates
  
• Manage FIPS
  

Related tasks

Configure WebSphere Application Server for the Suite B security standard

Configure WebSphere Application Server for SP800-131 standard strict mode

Transition WebSphere Application Server to the SP800-131 security standard

Configure Federal Information Processing Standard Java Secure Socket Extension files

FIPSCommands (AdminTask)