Setting up Liberty for FIPS compliance

Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems. You can set up Liberty to comply with FIPS requirements by setting system properties and specifying a FIPS-validated security provider.

Before you begin

To prepare your Liberty server for FIPS compliance, you must complete the following prerequisites:

Enable Transport Layer Security (TLS) by adding the Transport Security feature to your server.xml file.
Make sure you are using an implementation of the Java™ platform that supports FIPS-validated security providers, such as the IBM SDK 8 with IBMJSSE2 FIPS provider, which is used in the following examples.

To run FIPS-compliant applications on Liberty, you must use either IBM SDK 8 with IBMJSSE2 FIPS provider or IBM Semeru Runtimes as your Java platform.

Running in FIPS mode with the IBM SDK, Java Technology Edition is supported for Java 8 only. For information about running FIPS-compliant Liberty applications with Java 11 or Java 17 on IBM Semeru Runtimes, see Run FIPS-compliant applications on the Open Liberty website.

About this task

Federal agencies and other industries rely on cryptography to protect digital information, which is known as data at rest, and communications, which are known as data in motion. FIPS specifies the security requirements that a cryptographic module must satisfy to protect sensitive information. The FIPS certification process requires testing by a NIST-accredited lab and assures users that a specific technology can be used to secure sensitive information. For more information about FIPS, see the National Institute of Standards and Technology.

Procedure

In the jvm.options file, set the correct system properties to enable FIPS mode for the IBMJSSE2 provider.
For the FIPS140-2 standard, set the com.ibm.jsse2.usefipsprovider system property to true. You must also to set the com.ibm.jsse2.usefipsProviderName property to specify a validated FIPS provider.
In the following jvm.options file example, this property specifies IBMJCEPlusFIPS as the FIPS provider:
```
-Dcom.ibm.jsse2.usefipsprovider=true
-Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
```
For more information about how to set system properties in the jvm.options file, see Customizing the Liberty environment.
Add a Java Cryptography Extension (JCE) FIPS security provider to the provider list in the java.security file.
The java.security file is located in the ${JAVA_HOME}/jre/lib/security directory. By default, this file does not include a FIPS security provider. Security providers are listed in the file by order of preference, as specified by the security provider number.
In the following java.security file example, the com.ibm.jsse2.IBMJSSEProvider2 security provider is specified as the highest priority security provider:
```
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.3=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.4=com.ibm.crypto.provider.IBMJCE
...
```
For more information about JCE security provider options, see the IBM SDK, Java Technology Edition 8: Security guide.