Configuring the server to achieve FIPS compliance
You can assure compliance with the FIPS 140-2 standard by modifying the configuration properties for the underlying application server.
Procedure
- For application update 9.2.32 and later, perform the following steps.
- Stop the License Metric Tool server.
- Open the jvm.options file that is in the following directory:
<installation_directory>/wlp/usr/servers/server1
- Replace the
line:
with the following line:-Djava.security.properties=resources/security/java_for_lmt.security
-Djava.security.properties=resources/security/java_for_lmt_with_fips.security
- Add the following two lines at the end of the
file.
-Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
- Save the file.
- Replace the
line:
- Start the License Metric Tool server.
- For application update 9.2.31 and earlier, perform the following steps.
- Stop the License Metric Tool server.
- To add a security provided, open one of the following files.
- For application update 9.2.27 and later, open the java_for_lmt.security file that is in the following directory: <installation_directory>/wlp/usr/servers/server1/resources/security.
- For application update 9.2.26 and earlier, open the java.security file that is in the following directory: <installation_directory>/jre/jre/lib/security.
-
Open the java.security file that is in the following directory:
<installation_dir>/jre/jre/lib/security. Add
RSAPSS to the jdk.tls.disabledAlgorithms list. Important: If you integrate License Metric Tool with IBM® Software Central or Red Hat® Marketplace, the integration stops working after you perform this step. However, there is no workaround to achieve FIPS compliance and keep the integration working.
- Open the jvm.options file that is in the following directory:
<installation_directory>/wlp/usr/servers/server1/. Add
the -Dcom.ibm.jsse2.usefipsprovider=true property. It allows the Java™ Secure Socket Extension (JSSE2) provider to run in the FIPS
140-2 mode. Important: Your certificates must have a key that is at least 1024 bits long and must be signed with an RSA signature algorithm. You can use the IBM keytool utility to generate a compatible key pair.
- If TLS protocol is not enabled and you want to use it, configure secure communication.
A number of ciphers are supported by FIPS 140-2. The default HTTPS configuration automatically enables the FIPS 140-2 compliant ciphers when JSSE is running in FIPS mode. You can enable specific ciphers by listing them in the enabledCiphers attribute of the SSL service configuration element in the server.xml file.
- Start the License Metric Tool server.