Configure Federal Information Processing Standard Java Secure Socket Extension files

 

Overview

In WAS V6, the Java Secure Socket Extension (JSSE) provider used is the IBMJSSE2 provider. This provider delegates encryption and signature functions to the Java Cryptography Extension (JCE) provider. Consequently, IBMJSSE2 does not need to be Federal Information Processing Standard (FIPS)-approved because it does not perform cryptography. However, the JCE provider requires FIPS-approval.

WebSphere Application Server provides a FIPS-approved IBMJCEFIPS provider that IBMJSSE2 can utilize. The IBMJCEFIPS provider shipped in WAS V6 supports the following SSL ciphers:

  • SSL_RSA_WITH_AES_128_CBC_SHA

  • SSL_RSA_WITH_3DES_EDE_CBC_SHA

  • SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

  • SSL_DHE_RSA_WITH_AES_128_CBC_SHA

  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

  • SSL_DHE_DSS_WITH_AES_128_CBC_SHA

  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

  • SSL_DH_anon_WITH_AES_128_CBC_SHA

  • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

Even though the IBMJSSEFIPS provider is still present, the runtime does not use this provider. If IBMJSSEFIPS is specified as a contextProvider, WebSphere Application Server automatically defaults to the IBMJSSE2 provider (with the IBMJCEFIPS provider) for supporting FIPS in V6. When enabling FIPS in the server Global Security Panel, the runtime always uses IBMJSSE2. despite whatever contextProvider you specify for SSL (IBMJSSE, IBMJSSE2 or IBMJSSEFIPS). Also, because FIPS requires the SSL protocol be TLS, the runtime always uses TLS when FIPS is enabled regardless of the SSL protocol setting in the SSL repertoire. This simplifies the FIPS configuration in V6 because an administrator only needs to enable the FIPS flag in the Global Security Panel to enable all transports using SSL.

 

Procedure

  1. Click Security > Global Security. Select the Use the Federal Information Processing Standard (FIPS) option and click OK. IBMJSSE2 and IBMJCEFIPS is enabled.

  2. If you have a Java client that must access enterprise beans, change the com.ibm.security.useFIPS property value from false to true in the install_dir/profiles/profile/properties/sas.client.props file.

  3. If you have an administrative client using the Simple Object Access Protocol (SOAP) connector, modify the install_dir/profiles/profile/properties/soap.client.props file on the administrative client and set the following property: 

    #com.ibm.ssl.contextProvider=IBMJSSE2
com.ibm.ssl.contextProvider=IBMJSSEFIPS

    Note:

    Note: Specifying IBMJSSEFIPS indicates that the client wants to be in FIPS mode, and the runtime uses the IBMJSSE2 provider in combination with the IBMJCEFIPS provider.

 

Result

After completing these steps, a FIPS-approved JSSE or JCE provider offers increased encryption capabilities. However, when you use FIPS-approved providers:

  • By default, Microsoft Internet Explorer V5.5 might not have Transport Layer Security (TLS) enabled. To enable TLS, open the Internet Explorer browser and click Tools > Internet Options. On the Advanced tab, select the Use TLS 1.0 option.

    Note: Netscape V4.7.x and earlier versions might not support TLS.

  • IBM Directory Server V5.1 (and earlier versions) do not support TLS.

  • If you have an administrative client that uses a SOAP connector and you enable FIPS, add the following lines to the install_dir/profiles/profile/properties/soap.client.props file 

    com.ibm.ssl.contextProvider=IBMJSSEFIPS

  • When you select the Use the Federal Information Processing Standard (FIPS) option on the Global Security panel, the Lightweight Third-Party Authentication (LTPA) token format is not backwards-compatible with previous releases of WebSphere Application Server. However, one can continue to use the LTPA keys configured using a previous version of WebSphere Application Server.

Note: When enabling FIPS, one cannot configure cryptographic token devices in the SSL repertoires. IBMJSSE2 must use IBMJCEFIPS when utilizing cryptographic services for FIPS.

The following are the FIPS 140-2 approved cryptographic providers:

  • IBMJCEFIPS (certificate 376)

  • IBMJSSEFIPS (certificate 409)

  • IBM Cryptography for C (ICC) (certificate 384)

The relevant certificates are listed on the NIST Web site: Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List

 

Related Tasks


Creating a Secure Sockets Layer repertoire configuration entry

 

See Also


Global security settings

 

Related Information


Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List