Configuring Federal Information Processing Standard Java Secure Socket Extension files

Use this topic to configure Federal Information Processing Standard Java Secure Socket Extension files.

About this task

In WebSphere® Application Server, the Java™ Secure Socket Extension (JSSE) provider that is used is the IBMJSSE2 provider. This provider delegates encryption and signature functions to the Java Cryptography Extension (JCE) provider. Therefore, IBMJSSE2 does not need to be Federal Information Processing Standard (FIPS)-approved because it does not perform cryptography. However, the JCE provider requires FIPS-approval.

[Linux][AIX][Windows][8.5.5.28 or later]FIPS 140-3 supersedes FIPS 140-2. For more information about FIPS 140-3, see FIPS 140-3 in the IBM SDK 8 documentation and FIPS 140-3 in the WebSphere Application Server documentation.

[AIX Solaris HP-UX Linux Windows][8.5.5.23 or later]WebSphere Application Server provides a FIPS-approved IBMJCEPlusFIPS provider that IBMJSSE2 can use.

[AIX Solaris HP-UX Linux Windows]In versions before 8.5.5.23, WebSphere Application Server provides a FIPS-approved IBMJCEFIPS provider that IBMJSSE2 can use.

When enabling the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management pane, the runtime always uses IBMJSSE2, despite the contextProvider that you specify for SSL (IBMJSSE or IBMJSSE2S). FIPS requires TLS 1.2 as the SSL protocol, the runtime always uses TLSv1.2 when FIPS is enabled, regardless of the SSL/TLS protocol setting in the SSL repertoire. This simplifies the FIPS configuration in WebSphere Application Server because an administrator needs to enable only the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management pane to enable all transports using SSL.

Procedure

  1. Click Security > SSL certificate and key management > Manage FIPS.
    [8.5.5.28 or later]

    Click Security > Manage FIPS

  2. [Linux][AIX][Windows][8.5.5.28 or later]Select the Enable FIPS 140-3 option and click Apply
    [8.5.5.28 or later]Note:

    To use FIPS 140-2, select the Enable FIPS 140-2 option and click Apply.

    [AIX Solaris HP-UX Linux Windows][8.5.5.23 or later]This option makes IBMJSSE2 and IBMJCEPlusFIPS the active providers.
    [AIX Solaris HP-UX Linux Windows]In versions before 8.5.5.23, this option makes IBMJSSE2 and IBMJCEFIPS the active providers.

    For more information about enabling FIPS, see Manage FIPS.

  3. Accommodate Java clients that must access enterprise beans.

    Change the com.ibm.security.useFIPS property value from false to true in the profile_root/properties/ssl.client.props file.

  4. Ensure that the com.ibm.ssl.protocol property within the profile_root/properties/ssl.client.props file is set to TLSv1.2.
  5. Ensure that the java.security file includes the provider.
    [AIX Solaris HP-UX Linux Windows][8.5.5.23 or later]

    To update the provider list, edit the java.security file and add com.ibm.crypto.plus.provider.IBMJCEPlusFIPS preceding the IBMJCEPlus and IBMJCE provider in the provider list and renumber other providers. However, WebSphere Application Server adds the provider pro grammatically. Modifying the java.security file is optional.

    [AIX Solaris HP-UX Linux Windows]In versions before 8.5.5.23, to update the provider list, edit the java.security file and add com.ibm.crypto.plus.provider.IBMJCEFIPS preceding the IBMJCE provider in the provider list and renumber other providers. However, WebSphere Application Server adds the provider programmatically, modifying the java.security file is optional. The IBMJCEFIPS provider must be in the java.security file provider list.

    [AIX Solaris HP-UX Linux Windows]The java.security file is located in the WASHOME/java/jre/lib/security directory.

    The following example shows the contents of the IBM® SDK java.security file after the step is completed.
    • [AIX Solaris HP-UX Linux Windows][8.5.5.23 or later]Use the string crypto.plus.provider.IBMJCEPlusFIPS.
      [AIX Solaris HP-UX Linux Windows]
      security.provider.1=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS 
security.provider.2=com.ibm.crypto.provider.IBMJCE  
security.provider.3=com.ibm.jsse.IBMJSSEProvider   
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2   
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider 
security.provider.6=com.ibm.security.cert.IBMCertPath  
security.provider.7=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
security.provider.8=com.ibm.security.cmskeystore.CMSProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.sasl.IBMSASL 
security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider 
security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider  
security.provider.13=org.apache.harmony.security.provider.PolicyProvider

    • [AIX Solaris HP-UX Linux Windows]In versions before 8.5.5.23, use the string crypto.fips.provider.IBMJCEFIPS.
      [AIX Solaris HP-UX Linux Windows]
      security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS 
security.provider.2=com.ibm.crypto.provider.IBMJCE  
security.provider.3=com.ibm.jsse.IBMJSSEProvider   
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2   
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider 
security.provider.6=com.ibm.security.cert.IBMCertPath  
security.provider.7=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
security.provider.8=com.ibm.security.cmskeystore.CMSProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.sasl.IBMSASL 
security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider 
security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider  
security.provider.13=org.apache.harmony.security.provider.PolicyProvider

    [AIX Solaris HP-UX Linux Windows]If you are using the Oracle JDK, the java.security file looks like the following example after completing this step.

    [AIX Solaris HP-UX Linux Windows][8.5.5.23 or later]Add the line security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS.
    
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.3=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.11=sun.security.provider.Sun
    [AIX Solaris HP-UX Linux Windows]In versions before 8.5.5.23, add the line security.provider.2=com.ibm.crypto.plus.provider.IBMJCEFIPS.
    
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEFIPS
security.provider.3=com.ibm.crypto.provider.IBMJCEPlus
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=sun.security.provider.Sun

What to do next

After completing these steps, a FIPS-approved JSSE or JCE provider offers increased encryption capabilities. However, when you use FIPS-approved providers:
  • A browser might not have TLS 1.2 enabled by default. Check the browser settings to ensure that it is set to use TLS 1.2.
  • When you select the Use the Federal Information Processing Standard (FIPS) option on the SSL certificate and key management pane, the Lightweight Third-Party Authentication (LTPA) token format is not compatible with an earlier versions of WebSphere Application Server. However, you can import the LTPA keys from a previous version of the application server.
  • Note: The current WebSphere Application Server limitation is that the key length in secret keys is not evaluated for FIPS sp800-131a compliance. If secret keys are in the keystore, then check the key length by using iKeyman in the {WebSphere_install_dir}\java\jre\bin directory or by using other keystore tools.
[AIX Solaris HP-UX Linux Windows]Attention: The following error might occur when you attempt to stop WebSphere Application Server after enabling the FIPS option.
ADMU3007E: Exception com.ibm.websphere.management.exception.ConnectorException
Uncomment the following entry in the java.security file if it was previously removed or commented out, then restart the server:
security.provider.2=com.ibm.crypto.provider.IBMJCE
Note: When enabling FIPS, you cannot configure cryptographic token devices in the SSL repertoires. IBMJSSE2 must use IBMJCEPlusFIPS when using cryptographic services for FIPS.
The following FIPS 140-2 approved cryptographic providers that are the only devices that are supported by the FIPS option:
  • [AIX Solaris HP-UX Linux Windows][8.5.5.23 or later]IBMJCEPlusFIPS (certificate 376)
  • [AIX Solaris HP-UX Linux Windows]In versions before 8.5.5.23, IBMJCEFIPS (certificate 376)
  • IBM Cryptography for C (IBM Content Collector) (certificate 384)
The relevant certificates are listed on the NIST website: Standards: FIPS PUB 140-2.
To unconfigure the FIPS provider, reverse the changes that you made in the previous steps. After you reverse the changes, verify the following changes to the sas.client.props, soap.client.props, and java.security files:
  • In the ssl.client.props file, you must change the com.ibm.security.useFIPS value to false.
  • In the java.security file, you must change the FIPS provider to a non-FIPS provider.
    If you are using the IBM SDK java.security file, you must change the first provider to a non-FIPS provider as shown in the following example.[AIX Solaris HP-UX Linux Windows][8.5.5.23 or later]
    
#security.provider.1=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS 
security.provider.1=com.ibm.crypto.provider.IBMJCE  
security.provider.2=com.ibm.jsse.IBMJSSEProvider   
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2   
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider 
security.provider.5=com.ibm.security.cert.IBMCertPath  
security.provider.6=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
security.provider.7=com.ibm.security.cmskeystore.CMSProvider
security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.9=com.ibm.security.sasl.IBMSASL 
security.provider.10=com.ibm.xml.crypto.IBMXMLCryptoProvider 
security.provider.11=com.ibm.xml.enc.IBMXMLEncProvider  
security.provider.12=org.apache.harmony.security.provider.PolicyProvider
    In versions before 8.5.5.23, use the following example.
    [AIX Solaris HP-UX Linux Windows]
    
#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS 
security.provider.1=com.ibm.crypto.provider.IBMJCE  
security.provider.2=com.ibm.jsse.IBMJSSEProvider   
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2   
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider 
security.provider.5=com.ibm.security.cert.IBMCertPath  
security.provider.6=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
security.provider.7=com.ibm.security.cmskeystore.CMSProvider
security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.9=com.ibm.security.sasl.IBMSASL 
security.provider.10=com.ibm.xml.crypto.IBMXMLCryptoProvider 
security.provider.11=com.ibm.xml.enc.IBMXMLEncProvider  
security.provider.12=org.apache.harmony.security.provider.PolicyProvider

    [AIX Solaris HP-UX Linux Windows]If you are using the Oracle JDK java.security file, you must change the second provider to a non-FIPS provider as shown in the following example.

    [AIX Solaris HP-UX Linux Windows][8.5.5.23 or later]
    
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
#security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=sun.security.provider.Sun

    [AIX Solaris HP-UX Linux Windows]In versions before 8.5.5.23, change the second provider to a non-FIPS provider as shown in the following example.

    
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
#security.provider.2=com.ibm.crypto.plus.provider.IBMJCEFIPS
security.provider.2=com.ibm.crypto.provider.IBMJCEPlus
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.9=sun.security.provider.Sun