FIPS compliance with WebSphere Portal Express

Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows

FIPS compliance with WebSphere Portal Express

This section provides information about Federal Information Processing Standards (FIPS) and how they comply with IBM^® WebSphere^® Portal Express.

Federal Information Processing Standards (FIPS) are standards and guidelines issued by the United States National Institute of Standards and Technology (NIST) for federal government computer systems. FIPS are developed when there are compelling federal government requirements for standards, such as for security and interoperability, but acceptable industry standards or solutions do not exist. WebSphere Portal Express provides toleration for WebSphere Application Server's support of FIPS 140-2. WebSphere Application Server Version 6.0 and later integrates cryptographic modules such as Java Secure Socket Extension (JSSE) and Java Cryptography Extension (JCE), which are FIPS 140-2 certified. Throughout the documentation and the product, the FIPS 140-2 certified IBM JSSE and JCE modules are referred to as IBMJSSEFIPS and IBMJCEFIPS, which distinguishes the FIPS-certified modules from the prior, non-certified IBM JSSE and IBM JCE modules. For more information on the FIPS certification process, to see a list of validated modules, or to check the status of current IBM submissions, see the Related Information below.
WebSphere Portal Express toleration of the FIPS 140-2 compliant WebSphere Application Server configuration means that WebSphere Portal Express will continue to work normally after WebSphere Application Server is configured to activate FIPS 140-2 compliant security modules. The WebSphere Portal Express product has no self-contained cryptographic support and as a result is unaware of the module differences. Functions in WebSphere Portal Express that use encryption include:

Secure Sockets Layer (SSL) connections inbound from clients (but this is basically the WebSphere Application Server and HTTP Server support for SSL connections, and is transparent to WebSphere Portal Express)
Internal connections between WebSphere Portal Express administrative functions and WebSphere Application Server administrative services (invoked, for example, when deploying a portlet which must create a Web application in WebSphere Application Server)
The connection between the WebSphere Portal Express Member Manager component and LDAP, which can be carried over SSL
It is assumed, though not required, that all the connections listed above will be carried over SSL using FIPS-compliant encryption. Without FIPS 140-2 support connections may not be encrypted. And there is no requirement that every connection be SSL, even with FIPS-enabled cryptography over TLS, but again your connection may be unencrypted. Note that FIPS 140-2 enablement requires HTTP Server and LDAP server versions that provide support for FIPS 140-2. Consult the documentation for your HTTP server and LDAP server to determine your level of support. This section describes how to set up WebSphere Portal Express to use SSL. You may do these WebSphere Portal Express setup steps either before or after activating WebSphere Application Server's FIPS 140-2 support. See the WebSphere Application Server directions in their documentation. Here is a summary of the setup steps to activate SSL in WebSphere Portal Express:

Installing
Configuring security
Set up Transport Layer Security (TLS) for the internal HTTP Server in WebSphere Application Server. Refer to the "Configuring Federal Information Processing Standard Java Secure Socket Extension files" topic in the WebSphere Application Server Information Center for detailed instructions.
Optional: If your LDAP server supports TLS with FIPS enabled, you will:

Set up your LDAP server over SSL.
Enable TLS FIPS on the LDAP server. Refer to the product documentation for your LDAP server for detailed instructions.

Optional: Configure your HTTP server to support TLS with FIPS enabled. Refer to the HTTP server documentation for detailed instructions.

Limitations
There are some restrictions in the level of support that WebSphere Portal Express provides in using FIPS-certified modules:

Lotus Sametime and Lotus QuickPlace currently do not support FIPS 140-2.
By default, Microsoft Internet Explorer might not have TLS enabled. To enable TLS, open the Internet Explorer browser and click Tools > Internet Options. On the Advanced tab, select the Use TLS 1.0 check box.
The IBM Tivoli Directory Server provides the Use FIPS certified implementation option, which enables the directory server the FIPS-certified encryption algorithms uses. For more information, see "Setting the level of encryption" within the IBM Tivoli Directory Server Administration Guide
You can only use FIPS-certified JSSE providers if your servers and clients are using WebSphere Application Server Version 6.0 or later.

Related information

Cryptographic Module Validation Program
WebSphere Application Server product documentation

Parent topic:
Additional LDAP configuration