Enabling FIPS Mode in the IBMJSSE2 Provider

Enabling FIPS mode in the IBMJSSE2 Provider requires setting the IBMJSSE2 FIPS system property to enable FIPS mode, setting security properties to ensure that all JSSE code uses the IBMJSSE2 provider and therefore runs in FIPS mode, and adding the IBMJCEFIPS Start of changes for service refresh 5 fix pack 10or IBMJCEPlusFIPSEnd of changes for service refresh 5 fix pack 10 cryptographic provider. No changes to the application to support IBMJSSE2 running in FIPS mode are required.

Note that a single JVM cannot be in FIPS mode and have non-FIPS mode JSSE applications executing at the same time. Also note that IBMJSSE2 in FIPS mode and IBMJSSE2 using hardware cryptography is not supported.

  1. Set the following system property to enable FIPS mode in the IBMJSSE2 provider:
    • com.ibm.jsse2.usefipsprovider=true
    The com.ibm.jsse2.JSSEFIPS=true system property is deprecated because it does not support TLS 1.1, TLS 1.2, elliptic curve, AES-GCM or other new cipher suites.
    Note: You can use the FIPS 140-2 standard in addition to the SP800-131a and Suite B standards. Therefore, the com.ibm.jsse2.usefipsprovider system property only enables IBMJSSE2 to run using the IBMJCEFIPS provider. The property does not verify that you are using the correct protocol or cipher suites that are required for FIPS 140-2 compliance, as the com.ibm.jsse2.JSSEFIPS system property used to do. When you use the com.ibm.jsse2.usefipsprovider system property, you are responsible for this verification.
  2. Start of changes for service refresh 5 fix pack 10Ensure that the JCE FIPS provider that you want to use is in the provider list in the JAVA_HOME/jre/lib/security/java.security file. For example:
    security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
    
    security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
    security.provider.3=com.ibm.crypto.provider.IBMJCE
    security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
    …
    End of changes for service refresh 5 fix pack 10
  3. Start of changes for service refresh 5 fix pack 10Set the following system property to specify the JCE FIPS provider that you want to use:
    • com.ibm.jsse2.usefipsProviderName=<provider_name>, where <provider_name> is either IBMJCEFIPS or IBMJCEPlusFIPS. The default is IBMJCEFIPS.
    End of changes for service refresh 5 fix pack 10
  4. Set the following security properties to ensure that the IBMJSSE2 Provider is used to handle all JSSE requests.
    • ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
    • ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
  5. Add the IBMJCEFIPS provider, com.ibm.crypto.fips.provider.IBMJCEFIPSStart of changes for service refresh 5 fix pack 10, or the IBMJCEPlusFIPS provider, com.ibm.crypto.plus.provider.IBMJCEPlusFIPSEnd of changes for service refresh 5 fix pack 10 to the provider list before the IBMJCE provider. Do not remove the IBMJCE provider. The IBMJCE provider is still required for KeyStore support.