Configuring the server to achieve FIPS compliance

You can assure compliance with the FIPS 140-2 standard by modifying the configuration properties for the underlying application server.

Procedure

  • For application update 9.2.32 and later, perform the following steps.
    1. Stop the License Metric Tool server.
    2. Open the jvm.options file that is in the following directory: <installation_directory>/wlp/usr/servers/server1
      1. Replace the line:
        -Djava.security.properties=resources/security/java_for_lmt.security
        with the following line:
        -Djava.security.properties=resources/security/java_for_lmt_with_fips.security
      2. Add the following two lines at the end of the file.
        -Dcom.ibm.jsse2.usefipsprovider=true 
        -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
      3. Save the file.
    3. Start the License Metric Tool server.
  • For application update 9.2.31 and earlier, perform the following steps.
    1. Stop the License Metric Tool server.
    2. To add a security provided, open one of the following files.
      • For application update 9.2.27 and later, open the java_for_lmt.security file that is in the following directory: <installation_directory>/wlp/usr/servers/server1/resources/security.
      • For application update 9.2.26 and earlier, open the java.security file that is in the following directory: <installation_directory>/jre/jre/lib/security.
      Then, insert com.ibm.crypto.fips.provider.IBMJCEFIPS before IBMJCE in the provider list. Ensure that the list is correctly numbered.
    3. 9.2.31 Open the java.security file that is in the following directory: <installation_dir>/jre/jre/lib/security. Add RSAPSS to the jdk.tls.disabledAlgorithms list.
      Important: If you integrate License Metric Tool with IBM® Software Central or Red Hat® Marketplace, the integration stops working after you perform this step. However, there is no workaround to achieve FIPS compliance and keep the integration working.
    4. Open the jvm.options file that is in the following directory: <installation_directory>/wlp/usr/servers/server1/. Add the -Dcom.ibm.jsse2.usefipsprovider=true property. It allows the Java™ Secure Socket Extension (JSSE2) provider to run in the FIPS 140-2 mode.
      Important: Your certificates must have a key that is at least 1024 bits long and must be signed with an RSA signature algorithm. You can use the IBM keytool utility to generate a compatible key pair.
    5. If TLS protocol is not enabled and you want to use it, configure secure communication.

      A number of ciphers are supported by FIPS 140-2. The default HTTPS configuration automatically enables the FIPS 140-2 compliant ciphers when JSSE is running in FIPS mode. You can enable specific ciphers by listing them in the enabledCiphers attribute of the SSL service configuration element in the server.xml file.

    6. Start the License Metric Tool server.