Configuring for FIPS 140-2 compliance

Federal Information Processing Standard (FIPS) compliance and certification are required when working in a US government environment. Compliance and certification are achieved through rigorous testing of the cryptographic modules or providers. DBB achieves compliance by using existing cryptographic modules that have met the rigorous testing requirements. The following information can be used to configure Dependency Based Build for FIPS compliance.

NOTE: This information assumes that you are using an IBM Java Runtime Environment (JRE) in your server and toolkit environments. The IBM JRE includes the IBMJCEFIPS provider that has received certification for FIPS compliance. Some of the information might be different if you are using a different JRE or a different FIPS-compliant module.

Configuration summary

To configure FIPS, you must modify the JRE java.security file to include definitions for default socket factories and cryptography package providers. You must also define a system property, com.ibm.jsse2.usefipsprovider=true, when starting the JVM.

The java.security file defines security settings for your Java runtime environment. The JRE requires that the file is placed in $JAVA_HOME/lib/security. Your Java installation should include a default java.security file.

For FIPS, ssl.SocketFactory.provider and ssl.ServerSocketFactory.provider must be defined or updated in the java.security file to use the JSSE2 runtime environment.

ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl 
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl

Also, the cryptography package provider list must be modified by using the security.provider.n properties where n is the preference order. The IBMJCEFIPS provider should go before other providers.

security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

DBB configuration

DBB provides an override java.security file with the above definitions that can be used instead of modifying the default java.security file. It is useful when you use a common JRE with other products or when access to the default java.security file is restricted. Provide the system property, java.security.properties, when you start your JVM to use the override the java.security file.

NOTE: To use an override java.security file, the default java.security file must contain security.overridePropertiesFile=true.

DBB includes the /usr/lpp/IBM/dbb/conf/dbb.java.security override file for the default configuration to enable FIPS. To use it, include java.security.properties and com.ibm.jsse2.usefipsprovider as JVM options on either the command line or in your Jenkins build definition.

-Djava.security.properties=$DBB_CONF/dbb.java.security 
-Dcom.ibm.jsse2.usefipsprovider=true