How to configure IBM Rational Change 5.3 to run in FIPS mode

Improve application security to meet the Federal Information Processing Standard

Follow these steps to configure IBM® Rational® Change to run in Federal Information Processing Standard (FIPS) mode. All of the configuration changes required in the application, the Java Runtime Environment (JRE), and the web server are including in the code provided in this article.

Pradeep K. Shashidhar (pradeep.shashidhar@in.ibm.com), Staff Software Engineer, IBM

author photoPradeep has nearly a decade of experience in software development, with half of that time working on the Rational Change application. He is experienced in using Java, Perl, PHP, and .NET technologies and in change and configuration management, payment, and online learning domains.



26 July 2011

1. Configure the JRE settings

  1. Make sure that the cryptographic library file, ibmjcefips.jar, is available in the <JRE_HOME>\lib\ext directory.
  2. Edit the Java security file, <JRE_HOME>\lib\security\java.security, to make the changes that follow:
    • Add the IBMJCE provider (com.ibm.crypto.fips.provider.IBMJCEFIPS) to the beginning of the list of security providers.
    • The example in Listing 1 shows the list of default security providers for Microsoft Windows or Linux operating systems.
Listing 1. Default security providers for Windows or Linux systems
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

The Listing 2 example shows the list of default security providers for Solaris systems.

Listing 2. Default security providers for Solaris systems
security.provider.1=com.ibm.security.jgss.IBMJGSSProvider
security.provider.2=sun.security.provider.Sun
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

Listing 3 is an instance where the IBMJCE provider (com.ibm.crypto.fips.provider.IBMJCEFIPS) is added to the existing list, in case you're using a Windows or Linux platform.

Listing 3. IBMJCE provider added for Windows or Linux systems
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

Listing 4 is an instance where IBMJCE provider (com.ibm.crypto.fips.provider.IBMJCEFIPS) is added to the existing list if you're using a Solaris system.

Listing 4. IBMJCE provider for a Solaris system
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.security.jgss.IBMJGSSProvider
security.provider.3=sun.security.provider.Sun
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.ibm.jsse2.IBMJSSEProvider2
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

2. Configure the JRE for SSL

  1. Configure the Java Runtime Environment (JRE) for the SSL socket factory providers by adding entries to the java.security file.
  2. Replace these entries:
#ssl.SocketFactory.provider=
#ssl.ServerSocketFactory.provider=

with these:

ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl

3. Generate the certificate using the IBMJCEFIPS provider

Configure Rational Change to run in https mode. Use the provider name with every keytool command:
-provider com.ibm.crypto.fips.provider.IBMJCEFIPS


For example:

	keytool -genkey -keystore  "D:\certs\fips1.keystore"
	-alias angler -keyalg RSA -provider com.ibm.crypto.fips.provider.IBMJCEFIPS

Note:
The rest of the steps to configure Rational Change to run in https mode remain same.


4. Configure the Jetty server to use the TLS protocol

Configure the Jetty server to support FIPS. In FIPS mode, Rational Change uses the TLS (Transport Layer Security) protocol to establish a secure connection. If the application is installed with Jetty, it is necessary to pass the protocol value (<Set name="SSLProtocol">TLS</Set>) through the jetty.xml file as Listing 5 shows.

Listing 5 Edit the Jetty XML file to pass the TLS protocol

	<Call name="addListener">
	   <Arg>
		  <New class="org.mortbay.http.ibmjsse.IbmJsseListener">
			 <Set name="Port">8001</Set>
			 <Set name="MinThreads">5</Set>
			 <Set name="MaxThreads">255</Set>
			 <Set name="MaxIdleTimeMs">60000</Set>
			 <Set name="LowResourcePersistTimeMs">5000</Set>
			 <Set name="Keystore">D:\certs\fips1.keystore</Set>
			 <Set name="Password">password</Set>
			 <Set name="KeyPassword">password</Set>
			 <Set name="SSLProtocol">TLS</Set>
		  </New>
	   </Arg>
	</Call>

5. Add a JVM argument to enforce FIPS

Jetty server

Microsoft Windows

  1. Add this Java Virtual Machine (JVM) argument:
    jvmOption9=-Dcom.ibm.jsse2.JSSEFIPS=true

to
<JETTY_HOME>\jetty\win32\service.cfg after the existing line jvmOption8=-Dorg.mortbay.xml.XmlParser.NotValidating=true

  1. Reinstall the service by running the service.bat /remove and service.bat /install commands.

UNIX

  1. Edit <JETTY_HOME>\jetty\jetty.sh to modify these lines:
	JAVA_OPTIONS="-Djetty.home=$JETTY_HOME -Djetty.log=$JETTY_LOG -Xms128m -Xmx512m
	-Dorg.mortbay.xml.XmlParser.NotValidating=true $JAVA_OPTIONS"

with these changes:

	JAVA_OPTIONS="-Djetty.home=$JETTY_HOME -Djetty.log=$JETTY_LOG
	-Xms128m -Xmx512m -Dcom.ibm.jsse2.JSSEFIPS=true
	-Dorg.mortbay.xml.XmlParser.NotValidating=true $JAVA_OPTIONS"
  1. And change this:
	JAVA_OPTIONS="-Djetty.home=$JETTY_HOME -Djetty.log=$JETTY_LOG -Xms128m -Xmx512m
	-Dorg.mortbay.xml.XmlParser.NotValidating=true -server $JAVA_OPTIONS"

with these changes:

	JAVA_OPTIONS="-Djetty.home=$JETTY_HOME -Djetty.log=$JETTY_LOG
	-Xms128m -Xmx512m -Dcom.ibm.jsse2.JSSEFIPS=true
	-Dorg.mortbay.xml.XmlParser.NotValidating=true -server $JAVA_OPTIONS"

Tomcat server

Windows

Service mode

  1. If Tomcat is configured to start in service mode, launch the Tomcat Properties dialog window by clicking tomcat5w.exe or tomcat6w.exe from the <TOMCAT_HOME>\bin directory.
  2. In the Tomcat Properties window, click the Java tab, and add this option in Java Options section:
    -Dcom.ibm.jsse2.JSSEFIPS=true

Startup script

  1. If Tomcat is configured to start through a startup script, <TOMCAT_HOME>\bin\startup.bat, set the value to the JAVA_OPTS variable by copying this line to the beginning of the <TOMCAT_HOME>\bin\setenv.bat script file:
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.JSSEFIPS=true

Note:
If the setenv.bat script does not exist, you must create a new one under the <TOMCAT_HOME>\bin\ directory.

UNIX

Startup script

  1. Set the value to variable JAVA_OPTS by editing the <TOMCAT_HOME>/bin/setenv.sh script.
    Note:If the setenv.sh script does not exist, create a new one under the <TOMCAT_HOME>/bin/ directory.
  2. Copy this line to the beginning of script file:
Ex: JAVA_OPTS="-Dcom.ibm.jsse2.JSSEFIPS=true";export JAVA_OPTS

6. Finish the settings in the Rational Change application

  1. To force Rational Change to use cryptographic algorithms supported by FIPS, add this entry in the \WEB-INF\wsconfig\pt.cfg file:
    [CCM_SYSTEM][ENABLE_FIPS]true[/ENABLE_FIPS][/CCM_SYSTEM]
  2. From this location:
    CHANGE_APP_HOME/WEB-INF/wsconfig
  3. Edit these three files:
    • synergy_user.xml
    • local_admin.xml
    • rds_config.xml

by replacing the <password> tag content with <password-unencrypted>, with a clear text password.

  1. Click the Load button from the administration interface to reload all of the configuration files.

Resources

Learn

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Rational software on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Rational
ArticleID=741662
ArticleTitle=How to configure IBM Rational Change 5.3 to run in FIPS mode
publish-date=07262011