IBM BPM, V8.0.1, All platforms > Authoring services in Integration Designer > Services and service-related functions > Access external services with adapters > Configure and using adapters > IBM WebSphere Adapters > FTP > Plan for adapter implementation > Security > Support for FTPS protocol

Configure the adapter for FIPS 140-2

The federal information processing standard 140-2 (FIPS) is a United States government standard for cryptographic features like encryption, decryption, hashing (message digests), secure socket layers, transport layer security, Internet Protocol security, Secure shell, signatures, key exchange, and key or certificate generation used in software products and modules. If you are an user working with the United States government who must conform to the FIPS standard, you can configure the adapter to run in FIPS mode.

Configure the adapter to run in FIPS mode restricts the adapter working with modules whose cryptographic features comply with FIPS approved methods and providers. From an adapter perspective, running in FIPS mode restricts the adapter using the transport layer security (TLS) secure socket protocol. A single Java™ Virtual Machine (JVM) cannot be in FIPS mode. It must not contain non-FIPS mode JSSE applications that are executed at the same time.

For the adapter to run in FIPS mode, the FTP server must support SSL v3.1, which is the same as TLS v1.0, and it must be enabled through the wizard of the FTP server. If not properly supported by SSL v3.1, the SSL handshake with the adapter may fail.

When in FIPS 140-2 mode, IBM WebSphere Adapter for FTP uses the FIPS 140-2 approved cryptographic provider(s); IBMJCEFIPS (certificate 376) and IBMJSSEFIPS (certificate 409). The certificates are listed on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2011.htm.

To run the adapter in FIPS mode, you must instruct the adapter to use the IBM Java Secure Socket Extension (IBMJSSE2) provider package. The IBMJSSE2 provider is the preregistered Java secure socket extension provider in the Java security file in IBM SDK, version 6.0. IBMJSSE2 uses FIPS-approved packages.

The Secure Socket Layer (SSL) is not supported in FIPS mode.

Complete the following steps to run the adapter in FIPS mode:


Procedure

  1. In the IBMJSSE2 provider, set the com.ibm.jsse2.JSSEFIPS property to True.

    1. Follow the steps to configure the values:

    • Invoke IBM BPM Process Administrative Console by connecting to http://<hostname>:<portnumber/ibm/console/.

      For example, http://9.186.116.151:9060/ibm/console/

    • Navigate to Servers.

    • Select WebSphere application servers from Server Types.

    • Select Configuration, Server Infrastructure, Java and Process Management, and Process Definition.

    • Select Additional properties, Java Virtual Machine, and Custom properties.

    • Click New and set Name to com.ibm.jsse2.JSSEFIPS.
    • Set Value to true.

  2. Set the following security properties so that the IBMJSSE2 provider handles all JSSE requests.

    1. Set the ssl.SocketFactory.provider property to com.ibm.jsse2.SSLSocketFactoryImpl.
    2. Set the ssl.ServerSocketFactory.provider property to com.ibm.jsse2.SSLServerSocketFactoryImpl.
    3. Follow the steps to configure the values:

    • Invoke <jave-home>/lib/security/java.security, where <java-home> is the home path of the IBM BPMs Java Virtual Machine (JVM).

      For example, C:\IBM\WebSphere\ProcServer\java\jre\lib\security\java.security

    • Open the file, java.security, and find the segment similar to the listed one.
      # Default JSSE socket factories 
      #ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
      #ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
      # WebSphere socket factories (in cryptosf.jar) 
      ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory
      ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory
    • Uncomment the default JSSE socket factories and comment the WebSphere socket factories. The settings are displayed as follows:
      # Default JSSE socket factories
      ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
      ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
      # WebSphere socket factories (in cryptosf.jar)
      #ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory
      #ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory

  3. In the security properties file, add the IBMJCEFIPS provider com.ibm.crypto.fips.provider.IBMJCEFIPS to the provider list above the IBMJCE provider. Follow the security.provider.n=providername format where n denotes the order of the provider. The provider with a value of 1 is considered before the provider with a value of 2. Do not remove the IBMJCE provider.

    1. Follow the steps to configure the values:

    • Invoke <jave-home>/lib/security/java.security, where <java-home> is the home path of the IBM BPMs JVM.

      For example, C:\IBM\WebSphere\ProcServer\java\jre\lib\security\java.security

    • Open the file, java.security, and find the segment similar to the listed one. The list displays the providers and their preference orders.
      #security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
      security.provider.1=com.ibm.crypto.provider.IBMJCE
      security.provider.2=com.ibm.jsse.IBMJSSEProvider
      security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
      security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
      security.provider.5=com.ibm.security.cert.IBMCertPath

  4. Edit the java.security file to insert the IBMJCEFIPS provider (com.ibm.crypto.fips.provider.IBMJCEFIPS) before the IBMJCE provider, and also renumber the other providers in the provider list.

    • If the provider exists, uncomment the line, com.ibm.crypto.fips.provider.IBMJCEFIPS and ensure that it is set before the line, com.ibm.crypto.provider.IBMJCE

    • After you made the settings, the file is displayed as follows:
      security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
      security.provider.2=com.ibm.crypto.provider.IBMJCE
      security.provider.3=com.ibm.jsse.IBMJSSEProvider
      security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
      security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
      security.provider.6=com.ibm.security.cert.IBMCertPath


What to do next

For more details on configuring security details, see the security documentation for IBM BPM or WebSphere Enterprise Service Bus.

Support for FTPS protocol


Previous topic: Configure the adapter for FTPS protocol