Configure FIPS JSSE files

 

Overview

The Federal Information Processing Standard (FIPS)-approved Java Secure Socket Extension (JSSE) provider has increased data encryption capabilities. FIPS-approved JSEE providers support Data Encryption Standard (DES) or Triple DES with at least 56-bits of encryption. Although this additional encryption capability is available, use Transport Layer Security (TLS) and not SSL as FIPS-approved JSSE files are not backwards-compatible and SSL is not FIPS-approved. If the server uses TLS, a client using SSL cannot communicate with the server. Thus, use FIPS-approved JSSE providers if your servers and clients are using WebSphere Application Server, V5.0.2 or later as this version supports FIPS.

The IBMJSSEFIPS and IBMJCEFIPS underwent FIPS 140-2 certification.

If you create your own encryption configurations and enable FIPS, add a FIPS-approved JSSE to all of your server and client configurations.

Although WAS supports the IBM FIPS Standard-approved Java Secure Socket Extension (IBMJSSEFIPS), IBMJSSEFIPS is not supported on the HP-UX platform.

To configure the WAS to use IBMJSSEFIPS and IBMJCEFIPS providers, complete the following steps using the administrative console:

1. Click...

   Security | Global Security

2. Select the Use FIPS check box and click OK. IBMJCEFIPS is enabled. However, IBMJSSEFIPS is not configured until you complete the remaining steps.

3. Click...

   Security | SSL

4. Click the name of your SSL configuration or click New to create a new configuration.

5. Select High from the Security Level menu.This action sets the encryption strength to 56-bits and higher.

6. Indicate which JSSE FIPS provider to use.Do one of the following actions:

   • Select IBMJSSEFIPS from the Provider menu and select Predefined JSSE provider. For a list of providers that were previously configured, click Custom Properties under Additional Properties.

   • Type the name of your custom JSSE FIPS provider and select Custom JSSE provider. To create a custom JSSE FIPS provider, click...

     Custom Properties | New

     After configuring your custom FIPS-approved provider, return to the SSL Configuration Repertoires panel for your SSL configuration and enter the name in the Provider field.

7. Select the TLS or TLSV1 option from the Protocol menu.To use a FIPS-approved JSSE, choose either the TLS or TLSV1 option. SSL protocol is not FIPS-approved. After you select the protocol, the corresponding custom property value is updated for com.ibm.ssl.protocol. You can view this updated property value under Custom Properties after you click Apply or OK.

8. Click OK.

9. If you have a Java client that must access enterprise beans, modify the install_dir>/properties/sas.client.props file to comment out the SSL protocol and add the Transport Layer Security (TLS) protocol. To change the protocol to TLS, edit...

   install_dir>/properties/sas.client.props file:

   ...and make the following changes...

   #com.ibm.ssl.protocol=SSL 
   com.ibm.ssl.protocol=TLS

10. If the server uses a FIPS-approved provider for the CSIv2/SAS protocol, add IBMJSSEFIPS as the contextProvider and TLS as the protocol to the file...

    install_dir/properties/sas.client.props

    ...on the application client, add the following information...

    com.ibm.ssl.contextProvider=IBMJSSEFIPS
    com.ibm.ssl.protocol=TLS
    

11. If the server-side SOAP connector configuration uses a FIPS-approved IBMJSSEFIPS provider, add com.ibm.fips.jsse.JSSESocketFactory as the provider and IBMJSSEFIPS as the contextProvider in the install_dir/properties/soap.client.props file on the administrative client. In...

    install_dir/properties/soap.client.props file

    ...add the following information:

    ssl.SocketFactory.provider=com.ibm.fips.jsse.JSSESocketFactory
    com.ibm.ssl.contextProvider=IBMJSSEFIPS

12. Verify that a FIPS-approved configuration is specified correctly throughout the administrative console. Verify the configuration settings in the following panels:

    • Click...

      Servers | Application Servers | server | Administration Services | JMX Connectors | SOAPConnector | Custom Properties | sslConfig

    • Click...

      Servers | Application Servers | server | Web Container | HTTP Transport

    • Click...

      Environment | Virtual Hosts | host_name | Host Aliases | <alias_name>

    • Click...

      Applications | Enterprise Applications | application_name | Map virtual hosts for web modules

    • Click...

      Security | User Registries | LDAP

    • Click Enterprise Applications > application_name. Under Related Items, click Web Module > URI_file_name > Web Services: Client Security Bindings. Verify the configuration settings listed under HTTP Basic Authentication and HTTP SSL Authentication.

 

Results

After completing these steps, a FIPS-approved JSSE provides increased encryption capabilities. However, when you use FIPS-approved providers, consider the following points:

• By default, Microsoft Internet Explorer V5.5 might not have TLS enabled. To enable TLS, open the Internet Explorer browser and click Tools > Internet Options. On the Advanced tab, select the Use TLS 1.0 checkbox.

• Netscape V4.7.x and earlier versions might not support TLS.

• IBM Directory Server V4.1 and earlier versions do not support TLS.

• If you select IBMJSSEFIPS from the Provider menu before changing the Security Level to High and the Protocol menu to TLS or TLSV1, WAS changes the Security Level and Protocol menu options automatically. However, if you change the Provider menu option from IBMJSSEFIPS to IBMJSSE, manually change the Protocol option to the correct setting. The setting does not change automatically because IBMJSSE supports both SSL and TLS.

• If you have an administrative client that uses a SOAP connector and you enable FIPS, add the following lines to the install_dir/properties/soap.client.props file:

  ssl.SocketFactory.provider=com.ibm.fips.jsse.JSSESocketFactory
  com.ibm.ssl.contextProvider=IBMJSSEFIPS

• When you select the Use FIPS check box on the Security > Global Security panel, the LTPA token format is not backwards-compatible with prior releases of WAS. However, you can continue to use the LTPA keys configured using a previous version of WAS.

If you select USE FIPS on the Global Security panel and select an SSL configuration on the SSL Configuration Repertoires panel, the following error message is displayed at the top of the Global Security panel:

The security policy is set to use only FIPS-approved cryptographic
algorithms. However at least one SSL configuration may not be using a 
FIPS-approved JSSE provider. FIPS-approved cryptographic algorithms 
may not be used in those cases.

If you use the FIPS-approved JSSE provided with WAS, choose IBMJSSEFIPS from the Provider menu on the SSL Configuration Repertoires panel. Otherwise, the following message is displayed at the top of the panel:

"Use FIPS" is enabled, but the SSL provider is not IBMJSSEFIPS. 
FIPS approved cryptographic algorithms may not be used.

---

Configuring Secure Sockets Layer

Global security settings

Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List
    

 

---