WAS security standards configurations

WAS v8.5 > Develop applications > Develop security > Develop extensions to the WebSphere security infrastructure
WAS security standards configurations

WebSphere Application Server can be configured to work with various security standards, which are typically used to meet security requirements required by the government.

New feature:
WAS integrates cryptographic modules, which include JSSE and Java Cryptography Extension (JCE). Most of the requirements in the standards are handled in the JSSE and JCE, which must undergo the certification process to meet government standards. WAS must be configured to run with the JSSE and JCE enabled for a particular standard, and now supports the FIPS 140-2, SP800-131 and Suite B security standards.

FIPS 140-2 are Federal Information Processing Standards (FIPS) that specify requirements on cryptographic modules. WAS has been able to configure using this standard the longest. Many users can be configured to use this level, but might be required to move up to the newer SP800-131 or Suite B standard.
See The National Institute of Standards and Technology website for more information about the 140-2 standard.
To configure FIPS 140-2, see the topic Configure Federal Information Processing Standard Java Secure Socket Extension files.
SP800-131 is a requirement originated by the National Institute of Standards and Technology (NIST) which requires longer key lengths and stronger cryptography. The specification also provides a transition configuration to enable users to move to a strict enforcement of SP800-131. The transition configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP800-131. SP800-131 can be run in two modes, transition and strict.
Strict enforcement of SP800-131 requirements on WebSphere Application server includes the following:

The use of the TLSv1.2 protocol for the SSL context.
Certificates must have a minimum length of 2048. Elliptical Curve (EC) certificate require a minimum size of 244-bit curves.
Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid signatureAlgorithms include:

SHA256withRSA
SHA384withRSA
SHA512withRSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA

SP800-131 approved Cipher suites

See The National Institute of Standards and Technology website for more details about the SP800-131 standard.
See the topic Transitioning WAS to the SP800-131 security standard for information on how to transition WAS to the SP800-131 strict standard. See the topic Configure WAS for SP800-131 standard strict mode for information on how to configure SP800-131.
Suite B is a requirement originated by the National Security Agency (NSA) to specify a cryptographic interoperability strategy. This standard is similar to SP800-131 with some tighter restrictions. Suite B can run in two modes: 128-bit or 192-bit. The restricted policy file provides encryption for the 128-bit mode, and it is applied by default. If using 192-bit mode, users must apply the unrestricted policy file to the JDK so the stronger cipher required for the 192-bit mode can be used.
The following table lists the maximum key sizes the restricted policy file allows for IBMJCE and IBMJCECCA algorithms. Users who require stronger encryption must use the unrestricted policy file.
Restricted policy file values.

Algorithm Maximum key size in bits
DES 64
DESede 96
RC2 128
RC4 128
RC5 128
RSA 2048
All other algorithms 128

To apply the unrestricted policy files, copy US_export_policy.jar and local_policy.jar from the WAS_HOME/java/J5.0/lib/security directory to the WAS_HOME/java/J5.0/demo/jce/policy-files/unrestricted directory.
Suite B requirements on WAS include the following:

The use of the TLSv1.2 protocol for the SSL Context
Suite B approved Cipher suites
Certificates:

128 bit mode certificates must be signed with SHA256withECDSA
192 bit mode certificates must be signed with SHA384withECDSA

Ciphers:

SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

See the topic Configure WAS for the Suite B security standard for information about how to configure Suite B.

Properties used to enable the Security Standards

The IBM virtual machine for Java (JVM) runs in a given security mode based on system properties. WAS sets these system properties based on security configuration settings. The security configuration can be set up through the dmgr console or through scripting admin tasks. If an application sets these properties directly it can affect WAS SSL communication.

JVM system properties to enable the security standard.

Security standard System property to enable Valid values
FIPS 140-2 com.ibm.jsse2.usefipsprovider true or false
SP800-131 com.ibm.jsse2.sp800-131 transition or strict
Suite B com.ibm.jsse2.suiteB 128 or 1.2

WAS configuration clears out all of these properties if they are set, then sets them to how the security configuration is specified. WAS enables the security standard based on the custom properties set in the security configuration.

WAS security custom properties to enable the security standard

WAS security custom properties to enable the security standard.

Security standard Security custom properties JVM system property
FIPS 140-2
com.ibm.security.useFips=true
com.ibm.websphere.security.FIPSLevel=FIPS140-2
com.ibm.jsse2.usefipsprovider=true
SP800-131- transition
com.ibm.security.useFips=true
com.ibm.websphere.security.FIPSLevel=transition
com.ibm.jsse2.sp800-131=transition
SP800-131 – strict
com.ibm.security.useFips=true
com.ibm.websphere.security.FIPSLevel=SP800-131
com.ibm.jsse2.sp800-131=strict
Suite B 128
com.ibm.security.useFips=true
com.ibm.websphere.security.suiteB=128
com.ibm.jsse2.suiteB=128
Suite B 1.2
com.ibm.security.useFips=true
com.ibm.websphere.security.suiteB=192
com.ibm.jsse2.suiteB=192

Subtopics

Convert certificates
Use this page to convert certificates to the selected security standard. All certificates in keystores associated with an Secure Socket Layer (SSL) configuration are converted.
Manage FIPS
Use this page to disable Federal Information Processing Standards (FIPS) or to enable security standards required by the government.

Related

Configure WAS for the Suite B security standard
Configure WAS for SP800-131 standard strict mode
Transitioning WAS to the SP800-131 security standard
Configure Federal Information Processing Standard Java Secure Socket Extension files

Reference:

FIPSCommands command group for AdminTask

+
Search Tips | Advanced Search

Algorithm	Maximum key size in bits
DES	64
DESede	96
RC2	128
RC4	128
RC5	128
RSA	2048
All other algorithms	128

Security standard	System property to enable	Valid values
FIPS 140-2	com.ibm.jsse2.usefipsprovider	true or false
SP800-131	com.ibm.jsse2.sp800-131	transition or strict
Suite B	com.ibm.jsse2.suiteB	128 or 1.2

Security standard	Security custom properties	JVM system property
FIPS 140-2	com.ibm.security.useFips=true com.ibm.websphere.security.FIPSLevel=FIPS140-2	com.ibm.jsse2.usefipsprovider=true
SP800-131- transition	com.ibm.security.useFips=true com.ibm.websphere.security.FIPSLevel=transition	com.ibm.jsse2.sp800-131=transition
SP800-131 – strict	com.ibm.security.useFips=true com.ibm.websphere.security.FIPSLevel=SP800-131	com.ibm.jsse2.sp800-131=strict
Suite B 128	com.ibm.security.useFips=true com.ibm.websphere.security.suiteB=128	com.ibm.jsse2.suiteB=128
Suite B 1.2	com.ibm.security.useFips=true com.ibm.websphere.security.suiteB=192	com.ibm.jsse2.suiteB=192