Running IBMJSSE2 in FIPS mode
You can enable the
IBMJSSE2 provider to run in
Support for the FIPS 140-2 standardIn order to meet the requirements specified in the FIPS publication 140-2, the cryptographic algorithms used by the
IBMJSSE2Provider are isolated into the
IBMJCEPlusFIPSprovider cryptographic module. When in FIPS mode, the
IBMJSSE2Provider uses the cryptographic modules in an approved manner, and therefore
IBMJSSE2complies with the FIPS 140-2 requirements when properly configured. Since cryptographic functionality is performed by
IBMJCEPlusFIPS, JSSE changes that affect the
IBMJSSE2provider only and not the cryptography, do not require a new certification.
Enabling FIPS mode
You enable FIPS mode by setting properties and updating the java.security
file. You do not need to make changes to the application to support
running in FIPS mode.
Note that a single JVM cannot be in FIPS mode and have non-FIPS mode JSSE applications running at
the same time. Also note that
IBMJSSE2 in FIPS mode and
using hardware cryptography is not supported.
- Set the following system property to enable FIPS mode in the IBMJSSE2
The default value for this property is
false, which specifies that IBMJSSE2 does not run in FIPS mode. For information about setting system properties, see How to Specify a java.lang.system Property.Note: You can use the FIPS 140-2 standard in addition to the SP800-131a and Suite B standards. Therefore, the
com.ibm.jsse2.usefipsprovidersystem property only enables IBMJSSE2 to run using the IBMJCEFIPS provider. The property does not verify that you are using the correct protocol or cipher suites that are required for FIPS 140-2 compliance. You are responsible for this verification.
- Set the following system property to specify the JCE FIPS
provider that you want to use:
IBMJCEPlusFIPS. The default is
- Set the following security properties to ensure that the IBMJSSE2 Provider is used to handle all
JSSE requests. For information about setting security properties, see How to Specify a java.security.Security Property.
- Add the JCE FIPS provider that you
want to use to the provider list in the
JAVA_HOME/jre/lib/security/java.security file before any
other cryptographic provider (
com.ibm.crypto.*), using the following strings:
com.ibm.crypto.plus.provider.IBMJCEPlusFIPS. From service refresh 6, fix pack 25, this provider is already in the list so you need only to move it.
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.crypto.plus.provider.IBMJCEPlus security.provider.5=com.ibm.security.jgss.IBMJGSSProvider …
Deprecated system property
In releases before version 7 service refresh 1, you used the
com.ibm.jsse2.JSSEFIPS system property to enable IBMJSSE2 to run in FIPS mode. This
property was deprecated in version 7 service refresh 1. This system property does not support the
TLS 1.1 or 1.2 protocols, or the elliptic curve, AES-GCM, or other new cipher suites that were added
in version 7 service refresh 1. This system property also does not support SP800-131a or Suite B
compliance; the property exists only for compatibility reasons.
- The SSL protocol must be TLS 1.0. The SSLv3 protocol is not allowed when in FIPS mode. If the client or the server have requested to handshake using the SSLv3 protocol while in FIPS mode, the handshake will fail.
- Only the following cipher suites are allowed:
- SSL_RSA_WITH_AES_256_CBC_SHA **
- SSL_DHE_RSA_WITH_AES_256_CBC_SHA **
- SSL_DHE_DSS_WITH_AES_256_CBC_SHA **
- SSL_DH_anon_WITH_AES_256_CBC_SHA **