The Federal Information Processing Standard (FIPS) Publication 140-2, FIPS PUB 140-2, is a U.S. government computer security standard used to accredit cryptographic modules.
When the TDI server is configured to run in FIPS mode, that Server is using the FIPS 140-2 certified cryptographic modules. TDI does not generate cryptographic keys - keys are created using external utilities such as keytool and Ikeyman). For information on TDI use of encryption, see Security and TDI. In order to create, edit, export and overall manage keystores and truststores the Ikeyman GUI utility or the keytool command line utility can be used. The executable file, keytool.exe is found in root_directory/jvm/jre/bin, or root_directory/jvm/bin, depending on your platform.
Symmetric cipher support in TDI is one of the requirements for achieving a FIPS 140-2 compliance.
The reason for encrypting a message is to change the message into a meaningless form of text called cipher text that is meaningless to whoever intercepts the message. There are many different encryption algorithms called ciphers. One of the most widely known ciphers is the symmetric cipher. The symmetric cipher has a key that both the sender and the receiver can keep. The sender uses that key to encrypt the message. The receiver uses the same key to decrypt the message.
An optional configuration is provided to use a symmetric cipher (specifically, the Advanced Encryption Standard, or AES). The symmetric cipher encoded using AES allows customers that need FIPS-compliant solutions to use a supported cipher around encryption.
The following property defines the cipher:
com.ibm.di.securityTransformation=DES/ECB/NoPadding
This property defines a cipher for the password-based encryption or decryption of TDI configurations.
We can run TDI and the TDI server in a secure way using FIPS. We can also configure additional properties when we want to operate TDI in a specific mode, for example, FIPS mode.
FIPS 140-2 is concerned only with cryptographic functionality such as SSL, digital signing, encryption, cryptographic hashing and random number generation.
SSL
FIPS 140-2 requires TLS to be the protocol for SSL communication. SSLv3 and its predecessors are not allowed. When FIPS mode is turned on, TDI components that use SSL will fail to communicate with external systems that do not support TLS.
JDBC and the System Store
The DB2 Type 4 JDBC driver (com.ibm.db2.jcc.DB2Driver) that is shipped with TDI, supports SSL in a FIPS conformant way.
The Apache Derby drivers, network and embedded, do not support SSL in version 10.2 (which is the one bundled with TDI).
However, the Apache Derby 10.2 database engine can perform database encryption. By default TDI uses Derby for its System Store. If you use database encryption functionality of Derby in FIPS mode, be sure to specify the IBM certified cryptographic provider IBMJCEFIPS as the provider used for encryption and also choose a FIPS approved encryption cipher. Here is an example of how to configure the System Store to use Derby with FIPS compliant database encryption:
com.ibm.di.store.database=jdbc:derby://localhost:1527/C:\TDI\TDISysStoreEnc;create=true; dataEncryption=true;encryptionKey=c566bab9ee8b62a5ddb4d9229224c678;encryptionAlgorithm=AES/CBC/NoPadding; encryptionProvider=com.ibm.crypto.fips.provider.IBMJCEFIPS com.ibm.di.store.jdbc.driver=org.apache.derby.jdbc.ClientDriver com.ibm.di.store.jdbc.urlprefix=jdbc:derby: com.ibm.di.store.jdbc.user=APP
JMS and the System Queue
MQe Mini-Certificates involve cryptography that is not FIPS compliant, so this security feature of MQe should not be used in FIPS mode.
The WebSphere MQ 5.3 JMS provider is not capable of running SSL in a FIPS compliant mode. In FIPS mode SSL should not be used with that provider.
The WebSphere MQ 6.0 JMS provider can use SSL in a FIPS compliant mode. To take advantage of it, however, we need MQ 6.0.1.0 or higher, because in earlier versions of MQ 6.0 the FIPS conformant mode does not work properly with Java 6.0 that TDI uses. To use FIPS compliant SSL communications between TDI and WebSphere MQ:
When run in this mode the TDI Server is forced to use FIPS 140-2 cryptographic modules
If the Server is running with FIPS and SSL enabled, then do not use clients with SSL for secure sockets communication. In this case the Server uses TLS and a connection will not succeed. Instead of using SSL make sure you are using TLS like the Server does for secure sockets communication.
Run the TDI Server in FIPS mode has the following implications:
When using FIPS, many TDI configuration options are changed, so keep in mind several rules in order to maintain FIPS compliancy. Some of the rules are mentioned in this document and others can be found in https://w3.webahead.ibm.com/w3ki/download/attachments/370821/FIPS+140+Guidelines.pdf?version=1 and http://www-128.ibm.com/developerworks/java/jdk/security/50/FIPShowto.html.
Enabling FIPS mode in TDI
The underlying SSL module - IBMJSSE2 does not support hardware cryptography in FIPS mode as stated here: http://www-128.ibm.com/developerworks/java/jdk/security/50/secguides/jsse2Docs/JSSE2RefGuide.html#runfips. We cannot use hardware-based SSL keys for the Server API in FIPS mode; the com.ibm.di.server.pkcs11 property must be absent or set to false in global.properties and solution.properties.
By default the Server uses public key encryption with the RSA algorithm. However, the RSA encryption option is not compliant with FIPS 140-2. That is why manually configure another cryptographic transformation that is FIPS allowed. Below are sample steps that setup TDI to use the AES cipher for encryption:
keytool -genseckey -alias server -keyalg AES -keysize 128 -keystore server.jck -storepass mypass -storetype jceks -keypass mykeypass -providerClass com.ibm.crypto.fips.provider.IBMJCEFIPSThis command creates a new keystore file server.jck of type JCEKS (JKS keystores cannot host secret keys) with an AES key of size 128 under alias server. The password for the created keystore is mypass. Pay special attention to the keygenproviderclass parameter - it is absolutely necessary to specify the FIPS certified provider if you strive for FIPS 140-2 compliance. Note that this is just an example, we can use whatever file names, passwords and aliases you wish.
com.ibm.di.server.encryption.keystore=server.jck com.ibm.di.server.encryption.keystoretype=jceks com.ibm.di.server.encryption.key.alias=server com.ibm.di.server.encryption.transformation=AES/CBC/PKCS5Padding
All encrypted files that existed prior to the introduction of the new key, need to be migrated. Migration involves decryption with the old key and (optionally) re-encryption with the new one (see Maintaining encryption artifacts - keys, certificates, keystores, encrypted files). For example we can migrate global.properties as follows:
cryptoutils -input ../etc/global.properties -output ../etc/global.properties -mode decrypt_props -keystore ../testserver.jks -storepass server -alias server -transformation RSA -storetype jks -keypass server cryptoutils -input ../etc/global.properties -output ../etc/global.properties -mode encrypt_props -keystore ../server.jck -storepass mypass -alias server -transformation AES/CBC/PKCS5Padding -storetype jceks -keypass mykeypass
createstash mypass mykeypass com.ibm.crypto.fips.provider.IBMJCEFIPS
Directory Integrator Component | Allowed in FIPS mode? | Remarks |
---|---|---|
Connectors | ||
ACT Connector | yes | Operates as a Server API client |
Active Directory Change Detection Connector | yes | Uses default JSSE factories for SSL |
AssemblyLine Connector | yes | Operates as a Server API client |
Axis Easy Web Service Server Connector | yes | Uses default JSSE factories for SSL |
Command line Connector | yes | Provides no cryptography features |
Domino/Lotus Notes Connectors | no | Domino/Notes 7 cryptographic capabilities are
not FIPS conformant.
(Some FIPS enablement may be included in Notes 8.0.1.) |
ITIM DSMLv2 Connector | yes | Uses default JSSE factories for SSL |
DSMLv2 SOAP Connector | yes | Uses default JSSE factories for SSL |
DSMLv2 SOAP Server Connector | yes | Uses default JSSE factories for SSL |
Exchange Changelog Connector | yes | Uses default JSSE factories for SSL |
File system Connector | yes | Provides no cryptography features |
FTP Client Connector | yes | Provides no cryptography features |
GLA Connector | yes | Provides no cryptography features |
HTTP Client Connector | yes | Uses default JSSE factories for SSL |
Old HTTP Client Connector | yes | Uses default JSSE factories for SSL |
HTTP Server Connector | yes | Uses default JSSE factories for SSL |
Old HTTP Server Connector | yes | Provides no cryptography features |
IBM Directory Server Changelog Connector | yes | Uses default JSSE factories for SSL |
ITIM Agent Connector | yes | Provides no cryptography features |
JDBC Connector | depends | If no cryptography features are used (SSL, encryption), the Connector is FIPS conformant.
Otherwise FIPS conformance depends on the FIPS conformance of the cryptographic functionality of the JDBC driver that is used. See Connectors, Function Components, Parsers for a discussion on the FIPS conformance of JDBC drivers. |
JMS Connector | depends | If no cryptography features are used (SSL, encryption), the Connector is FIPS conformant.
Otherwise FIPS conformance depends on the FIPS conformance of the cryptographic functionality of the JDBC driver that is used. See Connectors, Function Components, Parsers for a discussion on the FIPS conformance of JMS providers. |
JMX Connector | yes | Provides no cryptography features |
JNDI Connector | yes | Uses default JSSE factories for SSL |
LDAP Connector | yes | Uses default JSSE factories for SSL |
LDAP Server Connector | yes | Uses default JSSE factories for SSL |
Mailbox Connector | yes | Uses default JSSE factories for SSL |
Memory Queue Connector | depends | Depends on the FIPS compliance of the JDBC driver
used for the System Store.
(The Memory Queue uses the System Store for persistence.) See Connectors, Function Components, Parsers for a discussion on the FIPS conformance of JDBC drivers. |
Memory Stream Connector | yes | Provides no cryptography features |
MQe Password Store Connector | depends | Only PKCS#7 is allowed in FIPS mode for message
protection.
The RSA encryption option must not be used. The MQe Mini Certificates are not FIPS compliant, so they must not be used in FIPS mode. |
Netscape/iPlanet/Sun Directory Changelog Connector | yes | Uses default JSSE factories for SSL |
Properties Connector | depends | If encryption is turned off, the Connector is
FIPS conformant.
Otherwise FIPS conformance depends on the cipher used for encryption. An example of a FIPS 140-2 approved cipher is AES. Other approved ciphers can be found at: http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf The Server encryption option will always be FIPS conformant as long as TDI is configured correctly for FIPS mode. (See Enabling FIPS mode.) |
Server Notifications Connector | yes | Operates as a Server API client |
System Queue Connector | depends | If no cryptography features are used by the
System Queue (SSL, encryption), the Connector is FIPS conformant.
Otherwise FIPS conformance depends on the FIPS conformance of the JMS provider that is used by the System Queue. See Connectors, Function Components, Parsers for a discussion on the FIPS conformance of JMS providers. |
Windows Users and Groups Connector | yes | Provides no cryptography features |
System Store Connector | depends | Depends on the FIPS compliance of the JDBC driver used by the System Store. |
RAC Connector | yes | Provides no cryptography features |
RDBMS Changelog Connector | depends | Same as the JDBC Connector |
SNMP Connector | yes | Provides no cryptography features |
SNMP Server Connector | yes | Provides no cryptography features |
TAM Connector | yes | Tivoli Access Manager Runtime for Java is FIPS conformant |
TCP Connector | yes | Uses default JSSE factories for SSL |
TCP Server Connector | yes | Uses default JSSE factories for SSL |
Timer Connector | yes | Provides no cryptography features |
URL Connector | yes | Provides no cryptography features |
Web Service Receiver Server Connector | yes | Uses default JSSE factories for SSL |
z/OS Changelog Connector | yes | Uses default JSSE factories for SSL |
Function Components | ||
Castor Java to XML FC | yes | Provides no cryptography features |
Castor XML to Java FC | yes | Provides no cryptography features |
EMF XMLToSDO | yes | Provides no cryptography features |
EMF SDOToXML | yes | Provides no cryptography features |
AssemblyLine FC | yes | Operates as a Server API client |
Java Class Function Component | depends | Depends on the FIPS compliance of the Java class, whose method will be invoked by the Function Component.
If the Java class does not use cryptography (SSL, encryption, signing, cryptographic hash functions, and so forth) it can be safely used in FIPS mode. |
Parser FC | depends | Depends on the FIPS compliance of the Parser that is configured for the Function Component |
CBE Generator Function Component | yes | Provides no cryptography features |
SendEMail Function Component | yes | Uses default JSSE factories for SSL |
Memory Queue FC | depends | Depends on the FIPS compliance of the JDBC driver
used by the System Store.
(The Memory Queue uses the System Store for persistence.) See Connectors, Function Components, Parsers for a discussion on the FIPS conformance of JDBC drivers. |
Axis Java To Soap FC | yes | Provides no cryptography features |
WrapSoap FC | yes | Provides no cryptography features |
Invoke Soap WS FC | yes | Uses default JSSE factories for SSL |
Axis Soap To Java FC | yes | Provides no cryptography features |
Axis EasyInvoke Soap WS FC | yes | Uses default JSSE factories for SSL |
Complex Types Generator Function Component | yes | Provides no cryptography features |
Remote Command Line Function Component | depends | The cryptographic capabilities of the RXA toolkit
are not FIPS compliant.
If no cryptography features are used, the component can be used in FIPS mode. |
z/OS TSO/E Command Line FC | depends | Depends on the FIPS compliance of the cryptography involved in the TSO command that is invoked by the Function Component |
SAP ABAP Application Server Component Suite | no | The SAP cryptographic module has not been FIPS
140-2 certified.
If no cryptography features are used, the components can be used in FIPS mode. |
Parsers | yes | None of the TDI Parser components use cryptography so all of them can be used in FIPS mode. |
Setting com.ibm.di.server.fipsmode.on
To enable FIPS mode in TDI specify it in a property in global.properties or solution.properties. The property is named com.ibm.di.server.fipsmode.on and can be set to either true or false. When this property is set to true, the TDI Server runs in FIPS mode. In this mode, the IBM FIPS security provider is set in the TDI JVM before the IBM JCE security provider in the providers list. When the TDI FIPS enabling property is true, it also enables FIPS mode in the IBM JSSE2 provider and sets the default JSSE SSL socket factories to be the ones from the IBM JSSE2 provider. By default FIPS mode is not enabled in TDI, that is, the com.ibm.di.server.fipsmode.on property is set to false.
Using crypto algorithms in FIPS mode
Only FIPS-compliant crypto algorithms can be used. This means that use only FIPS-compliant algorithms in order to stay in FIPS-compliant mode. Using other algorithms violates FIPS compliancy.
Setting com.ibm.di.securityTransformation
When opening an encrypted configuration, TDI uses the com.ibm.di.securityTransformation property to get the algorithm that decrypts the configuration. If this property is set to an algorithm which is not FIPS-compliant, and the TDI Server FIPS mode is turned on, then an Exception is thrown. The Exception message which is shown would look something like this:
CTGDIC012E Could not load file<FILE_PATH>. No such algorithm: <ALGORITHM_NAME>.
In order to avoid this Exception, always set FIPS-compliant algorithms for this property when running in FIPS mode. By default the com.ibm.di.securityTransformation property is set to DES/ECB/Nopadding which is not a FIPS-compliant algorithm. This property also defines a cipher for the password-based encryption and decryption of TDI configurations.
Setting properties automatically when running in FIPS mode
Using the create stash file command line tool in FIPS mode
To create a stash file that conforms to FIPS 140-2 standards you must provide the IBMJCEFIPS provider class as the third parameter when using the createstash file tool. For example:
TDI_install_dir\bin\createstash Password Password com.ibm.crypto.fips.provider.IBMJCEFIPS
Using alternatives to RSA encryption in FIPS mode
In FIPS mode, configure TDI to use the Advanced Encryption Standard (AES) instead of the RSA encryption algorithm. A secret key cipher that is FIPS 140-2 compliant is required. As an acronym, RSA stands for Rivest, Shamir, and Adelman, the inventors of the algorithm. The RSA algorithm is a strong encryption algorithm used for sending data over the internet. The RSA cipher is allowed only to encrypt and decrypt keys for transport (SSL, TLS) to stay within the boundaries of the Approved Mode of FIPS 140-2 Level 1, as stated at: http://www-128.ibm.com/developerworks/java/jdk/security/50/FIPShowto.html.
This section provides command line syntax for identifying the appropriate crypto provider, and when generating a secret key.
createstash
Pass the FIPS 140-2 certified crypto provider IBMJCEFIPS as an explicit provider parameter on the command-line:
createstash mypass mykeypass com.ibm.crypto.fips.provider.IBMJCEFIPS
cryptoutils
Pass the FIPS 140-2 certified crypto provider IBMJCEFIPS as an
explicit provider on the command-line using the cryptoproviderclass option
like this:
Running keytool/Ikeyman in FIPS mode
To use the keytool and Ikeyman utilities in FIPS mode, edit the
java.security file in TDI_install_dir/jvm/jre/lib/security.
In the first two lines in the java.security file, set the IBMJCEFIPS
provider first and the IBMJCE security provider second. For example:
However, on Solaris and HP-UX, the SUN provider should always be the
first provider in the security providers list.
cryptoutils -input registry.txt -output registry.enc -mode encrypt -keystore ../testserver.jks -storepass server
-alias server -cryptoproviderclass com.ibm.crypto.fips.provider.IBMJCEFIPS
Configuring FIPS properties for TDI
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.crypto.provider.IBMJCE