Topic
8 replies Latest Post - ‏2013-11-22T17:16:04Z by LHuston
LHuston
LHuston
5 Posts
ACCEPTED ANSWER

Pinned topic Liberty and SP800-131 setup is failing

‏2013-11-20T21:10:06Z |

I am attempting to setup Liberty with SP800-131 enabled. I've been following the documentation.

http://pic.dhe.ibm.com/infocenter/radhelp/v9/index.jsp?topic=%2Fcom.ibm.websphere.wlp.nd.multiplatform.doc%2Fae%2Ftwlp_sec_nist.html

I believe I have done all the steps appropriately, but as soon as I add the

-Dcom.ibm.jsse2.sp800-131=transition to the jvm.options file, I get a "program cannot display webpage" type error. It seems to be indicating that the application is not up and running, even though the logs tell a different story:

********************************************************************************
product = WebSphere Application Server 8.5.5.0 (wlp-1.0.3.20130510-0831)
wlp.install.dir = C:/wlp/
java.home = C:\Program Files\IBM\Java70\jre
java.version = 1.7.0
java.runtime = Java(TM) SE Runtime Environment (pwa6470sr6-20131015_01 (SR6))
os = Windows 7 (6.1; amd64) (en_US)
********************************************************************************
[11/20/13 9:58:03:364 CST] 00000001 com.ibm.ws.logging.internal.TraceSpecification               I TRAS0018I: The trace state has been changed. The new trace state is *=info.
[11/20/13 9:58:03:438 CST] 00000001 com.ibm.ws.kernel.launch.internal.FrameworkManager           A CWWKE0001I: The server FBFWCAServer has been launched.
[11/20/13 9:58:04:160 CST] 0000001b com.ibm.ws.config.internal.xml.XMLConfigParser               A CWWKG0028A: Processing included configuration resource: C:\wlp\usr\servers\FBFWCAServer\NISTSecurity.xml
[11/20/13 9:58:04:198 CST] 0000001c com.ibm.ws.logging.internal.TraceSpecification               I TRAS0018I: The trace state has been changed. The new trace state is *=audit:RRA=all:WAS.j2c=all.
[11/20/13 9:58:04:899 CST] 0000001b com.ibm.ws.security.internal.SecurityReadyServiceImpl        I CWWKS0007I: The security service is starting...
[11/20/13 9:58:05:024 CST] 00000026 com.ibm.ws.tcpchannel.internal.TCPChannel                    I CWWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host 127.0.0.1  (IPv4: 127.0.0.1) port 9081.
[11/20/13 9:58:05:508 CST] 0000001b com.ibm.ws.app.manager.internal.monitor.DropinMonitor        A CWWKZ0058I: Monitoring dropins for applications.
[11/20/13 9:58:05:720 CST] 00000026 com.ibm.ws.tcpchannel.internal.TCPChannel                    I CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host 127.0.0.1  (IPv4: 127.0.0.1) port 9448.
[11/20/13 9:58:05:882 CST] 0000002a com.ibm.ws.security.internal.SecurityReadyServiceImpl        I CWWKS0008I: The security service is ready.
[11/20/13 9:58:05:883 CST] 0000002a com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreator       I CWWKS4105I: LTPA configuration is ready after 0.583 seconds.
[11/20/13 9:58:12:068 CST] 0000001e com.ibm.ws.http.internal.VirtualHostImpl                     A CWWKT0016I: Web application available (default_host): http://localhost:9081/FBFWCentralAdmin/
**********************************************************************************

I am using the IBM 7 SR 6 JDK:C:\Users\IBM_ADMIN>java -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pwa6470sr6-20131015_01(SR6))
IBM J9 VM (build 2.6, JRE 1.7.0 Windows 7 amd64-64 Compressed References 2013101
3_170512 (JIT enabled, AOT enabled)
J9VM - R26_Java726_SR6_20131013_1510_B170512
JIT  - r11.b05_20131003_47443
GC   - R26_Java726_SR6_20131013_1510_B170512_CMPRSS
J9CL - 20131013_170512)
JCL - 20131011_01 based on Oracle 7u45-b18

I created a certificate that appears to have all the correct criteria. I used keytool to do so.

SSL certificate details:
Version V3
Signature algorithm: sha512RSA
Signature hash algorithm: sha512
Public Key RSA (2048Bits)
Thumbprint algorithm: sha1

I configured the server.xml to use TLSv1.2
 

<featureManager>

<feature>appSecurity-2.0</feature>

<feature>ssl-1.0</feature>

</featureManager>

<keyStore id="defaultKeyStore"

 

 

location="key.jks"

type="JKS" password="{xor}xyz/>

 

<ssl id="FBFWCASSLConfig"

keyStoreRef="defaultKeyStore"

serverKeyAlias="selfsigned"

clientAuthentication="true"

sslProtocol="TLSv1.2" />

With all of the above I can access my application via SSL until I add the line to jvm.options to turn on the SP800-131, 

 I added the following line to jvm.options.-Dcom.ibm.jsse2.sp800-131=transition

At this point, the web application is no longer accessible from the browser. I have tried IE 9 with SSL 3.0-ON and TLS 1.2 ON and the browser within RAD(not sure if TLS v1.2 is enabled or not)

I am at a loss as to what else needs to be enabled or changed for Liberty to work under SP800-131. Any assistance would be appreciated.