FIPSCommands (AdminTask)
enableFips
Enable or disables a specified security level.Target object: None.
Required parameters
- -enableFips
- If set to true , FIPS is enabled at the security level specified by other parameters . If set to false, FIPS is disabled and other parameters are ignored. The value of this parameter is set to com.ibm.security.useFIPS security custom property. (Boolean required)
Optional parameters
- -fipsLevel
- Level of the security standard to use. (String, optional). There is no default value. Valid values include:
- FIPS140-2
- If set, the system is configured to comply with Fips 140-2 mode.
- transition
- If set, the system is configured to comply with SP800-131 transition mode.
- SP800-131
- If set, the system is configured to comply with SP800-131 strict mode.
The value provided is set on the com.ibm.websphere.security.FIPSLevel security custom property.
Either fipsLevel or suiteBLevel must be specified.
- -suiteBLevel
- Level of the suiteBLevel. There is no default value. The value provided is set on the com.ibm.websphere.security.suiteb security custom property. (String, optional)
Valid values are:
- 128 - if this value is set, system is configured to comply with Suite B 128.
- 192 - if this value is set, system is configured to comply with Suite B 192.
- -protocol
- Sets the protocol for the SSL configuration. This parameter is used only when the -fipsLevel flag is set to transition. For other fipsLevels, SSL protocol is already defined by specification. Valid values for transition are: TLS, TLSv1.1 and TLSv1.2 . Note that the console only shows TLS and TLSv1.2 as valid values. TLS1.1 can be specified on a command line. (String, optional)
Return values: True (success) or false (fail). If false, a reason for the failure is logged in the System.Out.log.
Examples
- Jacl string:
$AdminTask enableFips {-enableFips true -fipsLevel transition } true
getFipsInfo
Return an attributeList with the FIPS setting. The settings are fipsEnabled, fipsLevel and suiteBLevel.
Target object None.
Required parameters
None.
Return value: The getFipsInfo command returns an attributeList with the FIPS setting. For example:If FIPS is disabled, then fipsLevel and suiteBLevel are empty strings. For example:
Security mode Return values from getFipsInfo Fips not enabled fipsEnabled=false
fipsLevel=(empty string)
suiteBLevel=(empty string)FIPS140-2 ipsEnabled=true
fipsLevel=FIPS140-2
suiteBLevel=(empty string)SP800-131 - Transition fipsEnabled=true
fipsLevel=transition
suiteBLevel=(empty string)SP800-131 - Strict fipsEnabled=true
fipsLevel=SP800-131
suiteBLevel=(empty string)Suite B 128 fipsEnabled=true
fipsLevel=(empty string)
suiteBLevel=128Suite B 192 fipsEnabled=true
fipsLevel=(empty string)
suiteBLevel=192Examples
- Jacl:
$AdminTask getFipsInfo {fipsEnabled true} {fipsLevel SP800-131} {suiteBLevel {}}
listCertStatusForSecurityStandard
Return all certificates used by SSL configuration and plug-ins, and states whether they comply with the requested security level.
Target object None.
Required parameters None.
Optional parameters
- -suiteBLevel
- Enables or disables FIPS. There is no default value. When true, the com.ibm.security.useFips security custom property is set to true. If false, the com.ibm.security.useFips security custom property is set to false and the other flags are ignored. (String, optional)
- -fipsLevel
- Level of the security standard to use. (String, optional). There is no default value. Valid values include:
- FIPS140-2
- If set, the system is configured to comply with Fips 140-2 mode.
- transition
- If set, the system is configured to comply with SP800-131 transition mode.
- SP800-131
- If set, the system is configured to comply with SP800-131 strict mode.
The value provided is set on the com.ibm.websphere.security.FIPSLevel security custom property.
Either fipsLevel or suiteBLevel must be specified.
- -suiteBLevel
- Level of the suiteBLevel. There is no default value. The value provided is set on the com.ibm.websphere.security.suiteb security custom property. (String, optional)
Valid values are:
- 128 - if this value is set, system is configured to comply with Suite B 128.
- 192 - if this value is set, system is configured to comply with Suite B 192.
Return value: An attributeList list that has three keys : CAN_NOT_CONVERT, CAN_CONVERT, and MEET_SECURITY_LEVEL. For each key, a list of attributeList is returned. One attributeList contains certificate information: keystore, managementScope, alias and reason. For example:
{conversionStatus=CAN_NOT_CONVERT certificateInfo = { keystore = <keystore name> managementScope = <managementScope> alias = <certificate alias> reason = <reason why certificate can not be converted> } ... {conversionStatus= CAN_CONVERT certificateInfo = { keystore = <keystore name> managementScope = <managementScope> alias = <certificate alias> reason = empty when certificate can be converted } ... {conversionStatus=MEET_SECURITY_LEVEL certificateInfo = { keystore = <keystore name> managementScope = <managementScope> alias = <certificate alias> reason = empty when certificate already meets security levelExamples
- Jython:
wsadmin>$AdminTask listCertStatusForSecurityStandard {-fipsLevel SP800-131 -suiteBLevel 128 } {CAN_CONVERT {{keystore NodeDefaultKeyStore} {managementScope (cell):testNode 01Cell:(node):testNode01} {alias default} {reason {Current SignatureAlgorithm is SHA256withRSA. SignatureAlgorithm needs to be one of [SHA256withECDSA] to be compliant with SP 800-131 - Suite B 128. }} {keystore NodeDefaultRootStore} {managementScope (cell):testNode01Cell:(node) :testNode01} {alias root} {reason {Current SignatureAlgorithm is SHA256withRS A. SignatureAlgorithm needs to be one of [SHA256withECDSA] to be compliant with SP 800-131 - Suite B 128. }} }} {CAN_NOT_CONVERT {}} {MEET_SECURITY_STANDARD {}}
convertCertForSecurityStandard
Convert all certificates used by SSL configuration and plug-ins.
Target object None.
Required parameters None.
Optional parameters
- -fipsLevel
- Level of the security standard to use. (String, optional). There is no default value. Valid values include:
- FIPS140-2
- If set, the system is configured to comply with Fips 140-2 mode.
- transition
- If set, the system is configured to comply with SP800-131 transition mode.
- SP800-131
- If set, the system is configured to comply with SP800-131 strict mode.
The value provided is set on the com.ibm.websphere.security.FIPSLevel security custom property.
Either fipsLevel or suiteBLevel must be specified.
- -suiteBLevel
- Level of the suiteBLevel. There is no default value. The value provided is set on the com.ibm.websphere.security.suiteb security custom property. (String, optional)
Valid values are:
- 128 - if this value is set, system is configured to comply with Suite B 128.
- 192 - if this value is set, system is configured to comply with Suite B 192.
- -signatureAlgorithem
- Checks if the signatureAlgorithm is compliant with FipsLevel and suiteB. If compliant, use signatureAlgorithm to convert certificates. If not, use a compliant signatureAlgorithm. (String, required)
- -keySize
- Checks if the keySize is compliant with FipsLevel and suiteB. If compliant, uses the keySize to convert certificates. If not, use the minimum value for the signatureAlgorithm.
Return value:
{conversionStatus=CAN_NOT_CONVERT certificateInfo = {keystore = <keystore name> managementScope = <managementScope> alias = <certificate alias> reason = <reason why certificate can not be converted> } ... {conversionStatus=MEET_SECURITY_STANDARD certificateInfo = {keystore = <keystore name> managementScope = <managementScope> alias = <certificate alias> reason = empty when certificate meets security standard. } ...Examples
- Jacl:
wsadmin> $AdminTask convertCertForSecurityStandard {-fipsLevel FIPS140-2 -signatureAlgorithm SHA256withRSA -keySize 2048 } {CAN_CONVERT {}} {CAN_NOT_CONVERT {}} {MEET_SECURITY_STANDARD {{keystore NodeDef aultRootStore} {managementScope (cell):testNode01Cell:(node):testNode01} { alias root} {reason {}} {keystore NodeDefaultKeyStore} {managementScope (cell):testNode01Cell:(node): testNode01} {alias default} {reason {}} }}
Related tasks
Create self-signed certificates Add a signer certificate to a keystore Use the wsadmin scripting AdminTask object for scripted administration Configure security ManagementScopeCommands (AdminTask) Use wsadmin scripting with Jython