The first time you sign into developerWorks, a profile is created for you. Select information in your developerWorks profile is displayed to the public, but you may edit the information at any time. Your first name, last name (unless you choose to hide them), and display name will accompany the content that you post.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

All information submitted is secure.

My developerWorks:

My notifications:

Sign out

Select a language:

How to configure IBM Rational Change 5.3 to run in FIPS mode

Improve application security to meet the Federal Information Processing Standard

Pradeep K. Shashidhar (pradeep.shashidhar@in.ibm.com), Staff Software Engineer, IBM

Pradeep has nearly a decade of experience in software development, with half of that time working on the Rational Change application. He is experienced in using Java, Perl, PHP, and .NET technologies and in change and configuration management, payment, and online learning domains.

Summary: Follow these steps to configure IBM® Rational® Change to run in Federal Information Processing Standard (FIPS) mode. All of the configuration changes required in the application, the Java Runtime Environment (JRE), and the web server are including in the code provided in this article.

Tag this!

Date: 26 Jul 2011
Level: Advanced
PDF: A4 and Letter (34KB | 8 pages)Get Adobe® Reader®

Activity: 1810 views
Comments:

1. Configure the JRE settings

Make sure that the cryptographic library file, ibmjcefips.jar, is available in the <JRE_HOME>\lib\ext directory.
Edit the Java security file, <JRE_HOME>\lib\security\java.security, to make the changes that follow:
- Add the IBMJCE provider (com.ibm.crypto.fips.provider.IBMJCEFIPS) to the beginning of the list of security providers.
- The example in Listing 1 shows the list of default security providers for Microsoft Windows or Linux operating systems.

Listing 1. Default security providers for Windows or Linux systems

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

The Listing 2 example shows the list of default security providers for Solaris systems.

Listing 2. Default security providers for Solaris systems

security.provider.1=com.ibm.security.jgss.IBMJGSSProvider
security.provider.2=sun.security.provider.Sun
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

Listing 3 is an instance where the IBMJCE provider (com.ibm.crypto.fips.provider.IBMJCEFIPS) is added to the existing list, in case you're using a Windows or Linux platform.

Listing 3. IBMJCE provider added for Windows or Linux systems

security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

Listing 4 is an instance where IBMJCE provider (com.ibm.crypto.fips.provider.IBMJCEFIPS) is added to the existing list if you're using a Solaris system.

Listing 4. IBMJCE provider for a Solaris system

security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.security.jgss.IBMJGSSProvider
security.provider.3=sun.security.provider.Sun
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.ibm.jsse2.IBMJSSEProvider2
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

2. Configure the JRE for SSL

Configure the Java Runtime Environment (JRE) for the SSL socket factory providers by adding entries to the java.security file.
Replace these entries:

#ssl.SocketFactory.provider=
#ssl.ServerSocketFactory.provider=

with these:

ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl

3. Generate the certificate using the IBMJCEFIPS provider

Configure Rational Change to run in https mode. Use the provider name with every keytool command:
-provider com.ibm.crypto.fips.provider.IBMJCEFIPS

For example:

	keytool -genkey -keystore  "D:\certs\fips1.keystore"
	-alias angler -keyalg RSA -provider com.ibm.crypto.fips.provider.IBMJCEFIPS

Note:
The rest of the steps to configure Rational Change to run in https mode remain same.

4. Configure the Jetty server to use the TLS protocol

Configure the Jetty server to support FIPS. In FIPS mode, Rational Change uses the TLS (Transport Layer Security) protocol to establish a secure connection. If the application is installed with Jetty, it is necessary to pass the protocol value (<Set name="SSLProtocol">TLS</Set>) through the jetty.xml file as Listing 5 shows.

Listing 5 Edit the Jetty XML file to pass the TLS protocol

	<Call name="addListener">
	   <Arg>
		  <New class="org.mortbay.http.ibmjsse.IbmJsseListener">
			 <Set name="Port">8001</Set>
			 <Set name="MinThreads">5</Set>
			 <Set name="MaxThreads">255</Set>
			 <Set name="MaxIdleTimeMs">60000</Set>
			 <Set name="LowResourcePersistTimeMs">5000</Set>
			 <Set name="Keystore">D:\certs\fips1.keystore</Set>
			 <Set name="Password">password</Set>
			 <Set name="KeyPassword">password</Set>
			 <Set name="SSLProtocol">TLS</Set>
		  </New>
	   </Arg>
	</Call>

5. Add a JVM argument to enforce FIPS

Jetty server

Microsoft Windows

Add this Java Virtual Machine (JVM) argument:
jvmOption9=-Dcom.ibm.jsse2.JSSEFIPS=true

to
<JETTY_HOME>\jetty\win32\service.cfg after the existing line jvmOption8=-Dorg.mortbay.xml.XmlParser.NotValidating=true

Reinstall the service by running the service.bat /remove and service.bat /install commands.

UNIX

Edit <JETTY_HOME>\jetty\jetty.sh to modify these lines:

	JAVA_OPTIONS="-Djetty.home=$JETTY_HOME -Djetty.log=$JETTY_LOG -Xms128m -Xmx512m
	-Dorg.mortbay.xml.XmlParser.NotValidating=true $JAVA_OPTIONS"

with these changes:

	JAVA_OPTIONS="-Djetty.home=$JETTY_HOME -Djetty.log=$JETTY_LOG
	-Xms128m -Xmx512m -Dcom.ibm.jsse2.JSSEFIPS=true
	-Dorg.mortbay.xml.XmlParser.NotValidating=true $JAVA_OPTIONS"

And change this:

	JAVA_OPTIONS="-Djetty.home=$JETTY_HOME -Djetty.log=$JETTY_LOG -Xms128m -Xmx512m
	-Dorg.mortbay.xml.XmlParser.NotValidating=true -server $JAVA_OPTIONS"

with these changes:

	JAVA_OPTIONS="-Djetty.home=$JETTY_HOME -Djetty.log=$JETTY_LOG
	-Xms128m -Xmx512m -Dcom.ibm.jsse2.JSSEFIPS=true
	-Dorg.mortbay.xml.XmlParser.NotValidating=true -server $JAVA_OPTIONS"

Tomcat server

Windows

Service mode

If Tomcat is configured to start in service mode, launch the Tomcat Properties dialog window by clicking tomcat5w.exe or tomcat6w.exe from the <TOMCAT_HOME>\bin directory.
In the Tomcat Properties window, click the Java tab, and add this option in Java Options section:
-Dcom.ibm.jsse2.JSSEFIPS=true

Startup script

If Tomcat is configured to start through a startup script, <TOMCAT_HOME>\bin\startup.bat, set the value to the JAVA_OPTS variable by copying this line to the beginning of the <TOMCAT_HOME>\bin\setenv.bat script file:
set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.JSSEFIPS=true

Note:
If the setenv.bat script does not exist, you must create a new one under the <TOMCAT_HOME>\bin\ directory.

UNIX

Startup script

Set the value to variable JAVA_OPTS by editing the <TOMCAT_HOME>/bin/setenv.sh script.
Note:If the setenv.sh script does not exist, create a new one under the <TOMCAT_HOME>/bin/ directory.
Copy this line to the beginning of script file:

Ex: JAVA_OPTS="-Dcom.ibm.jsse2.JSSEFIPS=true";export JAVA_OPTS

6. Finish the settings in the Rational Change application

To force Rational Change to use cryptographic algorithms supported by FIPS, add this entry in the \WEB-INF\wsconfig\pt.cfg file:
[CCM_SYSTEM][ENABLE_FIPS]true[/ENABLE_FIPS][/CCM_SYSTEM]
From this location:
CHANGE_APP_HOME/WEB-INF/wsconfig
Edit these three files:
- synergy_user.xml
- local_admin.xml
- rds_config.xml

by replacing the <password> tag content with <password-unencrypted>, with a clear text password.

Click the Load button from the administration interface to reload all of the configuration files.

Resources

Learn

Visit the Rational software area on developerWorks for technical resources and best practices for Rational Software Delivery Platform products.
Stay current with developerWorks technical events and webcasts focused on a variety of IBM products and IT industry topics.
- Attend a free developerWorks Live! briefing to get up-to-speed quickly on IBM products and tools, as well as IT industry trends.
- Watch developerWorks on-demand demos, ranging from product installation and setup demos for beginners to advanced functionality for experienced developers.
Improve your skills. Check the Rational training and certification catalog, which includes many types of courses on a wide range of topics. You can take some of them anywhere, any time, and many of the “Getting Started" ones are free.

Get products and technologies

Get the free Trial Download or check the Trials and Demos page for Rational software.
Evaluate IBM software in the way that suits you best: Download it for a trial, try it online, use it in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement service-oriented architecture efficiently.

Discuss

Join the Rational software forums to ask questions and participate in discussions.
Share your knowledge and help others who use Rational software by writing a developerWorks article. You'll get worldwide exposure, RSS syndication, a byline and a bio, and the benefit of professional editing and production on the developerWorks Rational website. Find out what makes a good developerWorks article and how to proceed.
Follow Rational software on Facebook, Twitter (@ibmrational), and YouTube, and add your comments and requests.
Ask and answer questions and increase your expertise when you get involved in the Rational forums, cafés, and wikis.
Connect with others who share your interests by joining the developerWorks community and responding to the developer-driven blogs.

About the author

Close [x]

Report abuse help

Report abuse

Thank you. This entry has been flagged for moderator attention.

Close [x]

Report abuse help

Report abuse

Report abuse submission failed. Please try again later.

Close [x]

developerWorks: Sign in

The first time you sign into developerWorks, a profile is created for you. Select information in your developerWorks profile is displayed to the public, but you may edit the information at any time. Your first name, last name (unless you choose to hide them), and display name will accompany the content that you post.

All information submitted is secure.

Close [x]

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

All information submitted is secure.

Rate this article

Comments

Close [x]

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Close [x]

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/

SITE_ID=1

Zone=Rational

ArticleID=741662

ArticleTitle=How to configure IBM Rational Change 5.3 to run in FIPS mode

publish-date=07262011

author1-email=pradeep.shashidhar@in.ibm.com

author1-email-cc=