FIPSCommands command group

Network Deployment (Distributed operating systems), v8.0 > Reference > Commands (wsadmin scripting)

FIPSCommands command group

Use the Jython or Jacl scripting languages to configure Federal Information Processing Standards (FIPS) with the wsadmin tool.
FIPSCommands command group includes the following commands:

enableFips

getFipsInfo

listCertStatusForSecurityStandard

convertCertForSecurityStandard

enableFips
The enableFips command enables or disables a specified security level.
Target object None

Required parameters

-enableFips

Enables or disables FIPS. There is no default value. When the flag is set to true, the com.ibm.security.useFips security custom property is set to true. If the flag is set to false, the com.ibm.security.useFips security custom property is set to false and the other flags are ignored. (Boolean, required)

Optional parameters

-fipsLevel

Determines the level of the security standard to use. (String, optional). There is no default value. Valid values include:

FIPS140-2

For Fips 140-2 mode

transition

For transition to SP800-131 mode

SP800-131

For strict SP800-131 mode

The value provided is set on the com.ibm.websphere.security.FIPSLevel security custom property.

-suiteBLevel

Sets the level of the suiteBLevel. There is no default value. This flag is only used if the -fipsLevel flag is set to SP800-131. The value provided is set on the com.ibm.websphere.security.suiteb security custom property. (String, optional)

-protocol

Sets the protocol the SSL configuration is configured to use when the -fipsLevel flag is set to transition mode. Valid values include TLS, TLSv1.1 (can only be specified via a command line) and TLSv1.2 . Note that the administrative console only shows TLS and TLSv1.2 as valid values. (String, optional)

Return values: True (success) or false (fail). If false, a reason for the failure is left in the log file.
Examples
Jython string:
$AdminTask enableFips {-enableFips true -fipsLevel transition }
true
getFipsInfo

The getFipsInfo command returns information about the FIPS setting in the configuration. It shows if FIPS is enabled, and if it is, what FipsLevel setting is enabled. If suite B is enabled, the level of suite B is returned.
Target object None.

Required parameters None

Return value: The getFipsInfo command returns an attributeList with the FIPS setting. For example:
{fipsEnabled true} {fipsLevel SP800-131} {suiteBLevel 192}
{fipsEnabled true} {fipsLevel transition} {suiteBLevel {}}
Examples
### Jacl
$AdminTask getFipsInfo
{fipsEnabled true} {fipsLevel SP800-131} {suiteBLevel {}}
listCertStatusForSecurityStandard

The listCertStatusForSecurityStandard command returns all certificates used by SSL configuration and plug-ins, and states whether they comply with the requested security level.
Target object None.

Required parameters

-fipsLevel

Enables or disables FIPS. There is no default value. When the flag is set to true, the com.ibm.security.useFips security custom property is set to true. If the flag is set to false, the com.ibm.security.useFips security custom property is set to false and the other flags are ignored. (String, required)

Optional parameters

-suiteBLevel

Enables or disables FIPS. There is no default value. When the flag is set to true, the com.ibm.security.useFips security custom property is set to true. If the flag is set to false, the com.ibm.security.useFips security custom property is set to false and the other flags are ignored. (String, optional)

Return value: An attributeList list that has three keys : CAN_NOT_CONVERT, CAN_CONVERT, and MEET_SECURITY_LEVEL. For each key, a list of attributeList is returned. One attributeList contains certificate information: keystore, managementScope, alias and reason. For example:
{conversionStatus=CAN_NOT_CONVERT
   certificateInfo = { keystore =
<keystore name>                                      managementScope =
<managementScope>                        alias =
<certificate alias>                                      reason =
<reason can not be converted>                     } ...
{conversionStatus= CAN_CONVERT
  certificateInfo = { keystore =
<keystore name>                                     managementScope =
<managementScope>                       alias =
<certificate alias>                                     reason = empty in this case
                                  } ...
{conversionStatus=MEET_SECURITY_LEVEL
 certificateInfo = { keystore =
<keystore name>                                     managementScope =
<managementScope>                       alias =
<certificate alias>                                     reason = empty in this case
                                  } ...
Examples
### Jython
wsadmin>$AdminTask listCertStatusForSecurityStandard {-fipsLevel SP800-131 -suiteBLevel 128 }

{CAN_CONVERT {{keystore NodeDefaultKeyStore} {managementScope (cell):testNode
01Cell:(node):testNode01} {alias default} {reason {Current SignatureAlgorithm
 is SHA256withRSA. SignatureAlgorithm needs to be one of [SHA256withECDSA] to be  compliant with SP 800-131 - Suite B 128. }}
{keystore NodeDefaultRootStore} {managementScope (cell):testNode01Cell:(node)
:testNode01} {alias root} {reason {Current SignatureAlgorithm is SHA256withRS
A. SignatureAlgorithm needs to be one of [SHA256withECDSA] to be compliant with SP 800-131 - Suite B 128. }} }} {CAN_NOT_CONVERT {}} {MEET_SECURITY_STANDARD {}}
convertCertForSecurityStandard

The convertCertForSecurityStandard command converts all certificates used by SSL configuration and plug-ins.
Target object None.

Required parameters

-fipsLevel

Enables or disables FIPS. There is no default value. When the flag is set to true, the com.ibm.security.useFips security custom property is set to true. If the flag is set to false, the com.ibm.security.useFips security custom property is set to false and the other flags are ignored. (String, required)

-signatureAlgorithem

Checks if the signatureAlgorithm is compliant with FipsLevel and suiteB, and if so, uses signatureAlgorithm to convert certificates. (String, required)

Optional parameters

-suiteBLevel

Enables or disables FIPS. There is no default value. When the flag is set to true, the com.ibm.security.useFips security custom property is set to true. If the flag is set to false, the com.ibm.security.useFips security custom property is set to false and the other flags are ignored. (String, optional)

-keySize

Checks if the keySize is compliant with FipsLevel and suiteB, and if so, uses the keySize to convert certificates. The default value is 2048. (Integer, optional)

Return value:
{conversionStatus=CAN_NOT_CONVERT
certificateInfo = {keystore =
<keystore name>                                     managementScope =
<managementScope>                       alias =
<certificate alias>                                     reason =
<reason can not be converted>                 } ...
{conversionStatus=MEET_SECURITY_STANDARD
certificateInfo = {keystore =
<keystore name>                                     managementScope =
<managementScope>                       alias =
<certificate alias>                                     reason = empty in this case
                              } ...
Examples
### Jython
wsadmin> $AdminTask convertCertForSecurityStandard {-fipsLevel FIPS140-2 -signatureAlgorithm
SHA256withRSA -keySize 2048 }

{CAN_CONVERT {}} {CAN_NOT_CONVERT {}} {MEET_SECURITY_STANDARD {{keystore NodeDef
aultRootStore} {managementScope (cell):testNode01Cell:(node):testNode01} {
alias root} {reason {}}
{keystore NodeDefaultKeyStore} {managementScope (cell):testNode01Cell:(node):
testNode01} {alias default} {reason {}} }}
Create self-signed certificates using scripting
Add a signer certificate to a keystore
Use the wsadmin scripting AdminTask object for scripted administration
Configure security with scripting

Related

ManagementScopeCommands command group
Use wsadmin scripting with Jython

+
Search Tips | Advanced Search