IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
8 replies Latest Post - ‏2013-11-22T17:16:04Z by LHuston
5 Posts

Pinned topic Liberty and SP800-131 setup is failing

‏2013-11-20T21:10:06Z |

I am attempting to setup Liberty with SP800-131 enabled. I've been following the documentation.

I believe I have done all the steps appropriately, but as soon as I add the to the jvm.options file, I get a "program cannot display webpage" type error. It seems to be indicating that the application is not up and running, even though the logs tell a different story:

product = WebSphere Application Server (wlp-
wlp.install.dir = C:/wlp/
java.home = C:\Program Files\IBM\Java70\jre
java.version = 1.7.0
java.runtime = Java(TM) SE Runtime Environment (pwa6470sr6-20131015_01 (SR6))
os = Windows 7 (6.1; amd64) (en_US)
[11/20/13 9:58:03:364 CST] 00000001               I TRAS0018I: The trace state has been changed. The new trace state is *=info.
[11/20/13 9:58:03:438 CST] 00000001           A CWWKE0001I: The server FBFWCAServer has been launched.
[11/20/13 9:58:04:160 CST] 0000001b               A CWWKG0028A: Processing included configuration resource: C:\wlp\usr\servers\FBFWCAServer\NISTSecurity.xml
[11/20/13 9:58:04:198 CST] 0000001c               I TRAS0018I: The trace state has been changed. The new trace state is *=audit:RRA=all:WAS.j2c=all.
[11/20/13 9:58:04:899 CST] 0000001b        I CWWKS0007I: The security service is starting...
[11/20/13 9:58:05:024 CST] 00000026                    I CWWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host  (IPv4: port 9081.
[11/20/13 9:58:05:508 CST] 0000001b        A CWWKZ0058I: Monitoring dropins for applications.
[11/20/13 9:58:05:720 CST] 00000026                    I CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host  (IPv4: port 9448.
[11/20/13 9:58:05:882 CST] 0000002a        I CWWKS0008I: The security service is ready.
[11/20/13 9:58:05:883 CST] 0000002a       I CWWKS4105I: LTPA configuration is ready after 0.583 seconds.
[11/20/13 9:58:12:068 CST] 0000001e                     A CWWKT0016I: Web application available (default_host): http://localhost:9081/FBFWCentralAdmin/

I am using the IBM 7 SR 6 JDK:C:\Users\IBM_ADMIN>java -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pwa6470sr6-20131015_01(SR6))
IBM J9 VM (build 2.6, JRE 1.7.0 Windows 7 amd64-64 Compressed References 2013101
3_170512 (JIT enabled, AOT enabled)
J9VM - R26_Java726_SR6_20131013_1510_B170512
JIT  - r11.b05_20131003_47443
GC   - R26_Java726_SR6_20131013_1510_B170512_CMPRSS
J9CL - 20131013_170512)
JCL - 20131011_01 based on Oracle 7u45-b18

I created a certificate that appears to have all the correct criteria. I used keytool to do so.

SSL certificate details:
Version V3
Signature algorithm: sha512RSA
Signature hash algorithm: sha512
Public Key RSA (2048Bits)
Thumbprint algorithm: sha1

I configured the server.xml to use TLSv1.2





<keyStore id="defaultKeyStore"




type="JKS" password="{xor}xyz/>


<ssl id="FBFWCASSLConfig"




sslProtocol="TLSv1.2" />

With all of the above I can access my application via SSL until I add the line to jvm.options to turn on the SP800-131, 

 I added the following line to

At this point, the web application is no longer accessible from the browser. I have tried IE 9 with SSL 3.0-ON and TLS 1.2 ON and the browser within RAD(not sure if TLS v1.2 is enabled or not)

I am at a loss as to what else needs to be enabled or changed for Liberty to work under SP800-131. Any assistance would be appreciated.