Configuring the JRE for FIPS 140–2
To configure the Java Runtime Environment (JRE) supplied with Tivoli Netcool/OMNIbus to work with FIPS 140–2 encryption, change the configuration of the java.security file. You can also download and add policy files to use enhanced encryption algorithms.
Procedure
Edit the Java security file
-
Depending on your Tivoli
Netcool/OMNIbus fix pack level and
depending on your operating system, open the following java.security file for
editing.
- Java 7
- In Tivoli
Netcool/OMNIbus fix
packs up to, and including, FP16.
$NCHOME/platform/arch/jre_1.7.0/jre/lib/security/java.security
$NCHOME/platform/arch/jre64_1.7.0/jre/lib/security/java.security
%NCHOME%\platform\win32\jre_1.7.0\jre\lib\security\java.security
- Java 8
- In Tivoli
Netcool/OMNIbus Fix
Pack 17, and later fix packs.
- $NCHOME/platform/arch/jre_1.8.0/jre/lib/security/java.security
- $NCHOME/platform/arch/jre64_1.8.0/jre/lib/security/java.security
- %NCHOME%\platform\win32\jre_1.8.0\jre\lib\security\java.security
- For each existing provider entry, increment the
security.provider.xnumber by two. When the edits are complete, the section looks as shown:
security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.crypto.provider.IBMJCE security.provider.5=com.ibm.security.jgss.IBMJGSSProvider security.provider.6=com.ibm.security.cert.IBMCertPath security.provider.7=com.ibm.security.sasl.IBMSASL security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.11=sun.security.provider.Sun security.provider.12=com.ibm.security.cmskeystore.CMSProvider
security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=sun.security.provider.Sun security.provider.5=com.ibm.crypto.provider.IBMJCE security.provider.6=com.ibm.jsse2.IBMJSSEProvider2 security.provider.7=com.ibm.security.cert.IBMCertPath security.provider.8=com.ibm.security.sasl.IBMSASL security.provider.9=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.10=com.ibm.xml.enc.IBMXMLEncProvider security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.12=com.ibm.security.cmskeystore.CMSProvidersecurity.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.crypto.provider.IBMJCE security.provider.5=com.ibm.security.jgss.IBMJGSSProvider security.provider.6=com.ibm.security.cert.IBMCertPath security.provider.7=com.ibm.security.sasl.IBMSASL security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.11=sun.security.provider.Sun security.provider.12=com.ibm.security.cmskeystore.CMSProvider - Disable the RSASSA-PSS and RSAPSS
algorithms by adding them to the
jdk.tls.disabledAlgorithmsproperty.For more information, see IBMJCEFIPS provider
in the IBM SDK, Java Technology Edition
documentation.
Results
Configuring enhanced encryption
About this task
Procedure
- On the Tivoli
Netcool/OMNIbus host
computer, extract the local_policy.jar and US_export_policy.jar files
from the archive and copy them to the following directory (replacing
the existing files).
- $NCHOME/platform/arch/jre_1.7.0/jre/lib/security
- $NCHOME/platform/arch/jre64_1.7.0/jre/lib/security
- %NCHOME%\platform\win32\jre_1.7.0\jre\lib\security