+

Search Tips   |   Advanced Search

Manage FIPS

Use this page to disable Federal Information Processing Standards (FIPS) or to enable security standards required by the government.

WebSphere Application Server integrates cryptographic modules, which include JSSE and Java Cryptography Extension (JCE). JSSE and JCE must undergo the certification process to meet government standards, and WAS must be configured to use them as specified by the standards.

From the admin console, click...

        Security > SSL certificate and key management > Manage FIPS.


Disable FIPS

Select to disable FIPS, which is the default.

Data type: Default: Range:
Boolean Enabled Enabled or Disabled


Enable FIPS 140-2

Enable FIPS 140-2. This option makes IBMJSSE2 and IBMJCEFIPS the active providers.

Federal Information Processing Standards (FIPS) specifies requirements on cryptographic modules. WAS has been able to configure using the FIPS 140-2 standard the longest. Many users can be configured to use this level, but might be required to move up to the newer SP800-131 or Suite B standard.

Data type: Default: Range:
Boolean Enabled Enabled or Disabled


Enable SP800-131

Enable SP800-131.

SP800-131 is a requirement originated by the National Institute of Standards and Technology (NIST) which requires longer key lengths and stronger cryptography. The specification also provides a transition configuration to enable users to move to a strict enforcement of SP800-131. The transition configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP800-131. SP800-131 can be run in two modes, transition and strict.

Data type: Default: Range:
Boolean Enabled Enabled or Disabled


Enable Suite B: Accept 128 bit keys

Select to specify that suite B cryptography is used, and is configured to accept a 128-bit key size. Keystore certificate algorithms require Elliptical curve (EC) cryptography.

Data type: Default: Range:
Boolean Enabled Enabled or Disabled


Enable Suite B: Accept 192-bit keys

Select to specify that suite B cryptography is used, and is configured to accept a 192-bit key size. Keystore certificate algorithms require Elliptical curve (EC) cryptography.

Suite B can run in 2 modes: 128-bit or 192-bit. If using 192-bit mode, we must apply the unrestricted policy file to the JDK so that the stronger cipher required for the 192-bit mode can be used.

Data type: Default: Range:
Boolean Enabled Enabled or Disabled


Convert certificates

Select to convert certificates to the selected security standard. All certificates in keystores associated with an Secure Socket Layer (SSL) configuration are converted.


Related:

  • WAS security standards configurations
  • Configure WAS for the Suite B security standard
  • Configure WAS for SP800-131 standard strict mode
  • Transitioning WAS to the SP800-131 security standard
  • Configure Federal Information Processing Standard Java Secure Socket Extension files
  • FIPSCommands