Configuring the JRE for FIPS 140–2
To configure the Java Runtime Environment (JRE) supplied with Tivoli Netcool/OMNIbus to work with FIPS 140–2 encryption, change the configuration of the java.security file. You can also download and add policy files to use enhanced encryption algorithms.
Procedure
Edit the Java security file
-
Depending on your Tivoli
Netcool/OMNIbus fix pack level and
depending on your operating system, open the following java.security file for
editing.
- Java 7
- In Tivoli
Netcool/OMNIbus fix
packs up to, and including, FP16.
- $NCHOME/platform/arch/jre_1.7.0/jre/lib/security/java.security
- $NCHOME/platform/arch/jre64_1.7.0/jre/lib/security/java.security
- %NCHOME%\platform\win32\jre_1.7.0\jre\lib\security\java.security
- Java 8
- In Tivoli
Netcool/OMNIbus Fix
Pack 17, and later fix packs.
- $NCHOME/platform/arch/jre_1.8.0/jre/lib/security/java.security
- $NCHOME/platform/arch/jre64_1.8.0/jre/lib/security/java.security
- %NCHOME%\platform\win32\jre_1.8.0\jre\lib\security\java.security
- Add the following lines at the start of the
List of providers and their preference orders
section of the file.security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
- For each existing provider entry, increment the
security.provider.x
number by two. When the edits are complete, the section looks as shown:security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.crypto.provider.IBMJCE security.provider.5=com.ibm.security.jgss.IBMJGSSProvider security.provider.6=com.ibm.security.cert.IBMCertPath security.provider.7=com.ibm.security.sasl.IBMSASL security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.11=sun.security.provider.Sun security.provider.12=com.ibm.security.cmskeystore.CMSProvider
security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=sun.security.provider.Sun security.provider.5=com.ibm.crypto.provider.IBMJCE security.provider.6=com.ibm.jsse2.IBMJSSEProvider2 security.provider.7=com.ibm.security.cert.IBMCertPath security.provider.8=com.ibm.security.sasl.IBMSASL security.provider.9=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.10=com.ibm.xml.enc.IBMXMLEncProvider security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.12=com.ibm.security.cmskeystore.CMSProvider
security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.crypto.provider.IBMJCE security.provider.5=com.ibm.security.jgss.IBMJGSSProvider security.provider.6=com.ibm.security.cert.IBMCertPath security.provider.7=com.ibm.security.sasl.IBMSASL security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.11=sun.security.provider.Sun security.provider.12=com.ibm.security.cmskeystore.CMSProvider
- Set the default key and trust manager factory algorithms
for the javax.net.ssl package:
ssl.KeyManagerFactory.algorithm=IbmX509 ssl.TrustManagerFactory.algorithm=IbmX509
- Set the default SSLSocketFactory and SSLServerSocketFactory
provider implementations for the javax.net.ssl package:
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
- Disable the RSASSA-PSS and RSAPSS
algorithms by adding them to the
jdk.tls.disabledAlgorithms
property.For more information, see IBMJCEFIPS provider in the IBM SDK, Java Technology Edition documentation. - Save and close the file.
Results
Configuring enhanced encryption
About this task
Procedure
- Go to the IBM JCE website at the following URL:
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk
For more information about IBM Java security, see the following website:
https://www.ibm.com/support/knowledgecenter/en/SSYKE2_7.0.0/welcome/welcome_javasdk_version.html
- If you already have an IBM® ID, sign in. Otherwise, click the register here link to create an IBM ID.
- Select Unrestricted JCE Policy files for SDK for
all newer versions and click Continue.
- Read and accept the license terms and download the policy files archive file.
- On the Tivoli
Netcool/OMNIbus host
computer, extract the local_policy.jar and US_export_policy.jar files
from the archive and copy them to the following directory (replacing
the existing files).
- $NCHOME/platform/arch/jre_1.7.0/jre/lib/security
- $NCHOME/platform/arch/jre64_1.7.0/jre/lib/security
- %NCHOME%\platform\win32\jre_1.7.0\jre\lib\security
- Update the policy files on each computer.