Setting up Liberty for FIPS compliance

Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems. You can set up Liberty to comply with FIPS requirements by setting system properties.

Before you begin

Distributed: [AIX MacOS Linux Windows] For information about FIPS 140-3 support with the IBM SDK, Java Technology Edition 8, see FIPS 140-3 in the IBM SDK documentation.

Important:

Distributed: [AIX MacOS Linux Windows] Running Liberty in FIPS 140-3 mode is supported for Java SE 8 only and you must use the IBM SDK for Java 8.0.8.30 or later.

For IBM i platforms The IBM i platform does not support FIPS 140-3.

For z/OS platforms FIPS 140-3 is not yet supported on z/OS®.

For Java SE 11 and later, you can run Liberty in FIPS 140-2 mode with IBM Semeru Runtimes. For more information, see Run FIPS-compliant applications on the Open Liberty website.

About this task

Federal agencies and other industries rely on cryptography to protect digital information, which is known as data at rest, and communications, which are known as data in motion. FIPS specifies the security requirements that a cryptographic module must satisfy to protect sensitive information. The FIPS certification process requires testing by a NIST-accredited lab and assures users that a specific technology can be used to secure sensitive information. For more information about FIPS, see the National Institute of Standards and Technology.

Procedure

To enable FIPS 140-3, complete the following steps.

If your Liberty server is running, stop the Liberty server.
Set the following properties in the jvm.options file.
```
-Dcom.ibm.jsse2.usefipsprovider=true
-Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
-Xenablefips140-3
```
In this example, the com.ibm.jsse2.usefipsProviderName property specifies IBMJCEPlusFIPS as the FIPS provider. For more information about system properties in the jvm.options file, see Customize JVM options by using jvm.options files.
If you have LTPA keys, delete the ltpa.keys file. The default location of the ltpa.keys file is ${server.output.dir}/resources/security/ltpa.keys.
If you have LTPA validation keys, delete the LTPA validation keys.
After you set the properties in the jvm.options file, restart the Liberty server to enable FIPS 140-3. A new ltpa.keys file is created when the Liberty server restarts.
To create new LTPA keys and LTPA validation keys that use FIPS 140-3 approved algorithms, run the following createLTPAKeys command.
```
securityUtility createLTPAKeys --password=mypassword --passwordEncoding=aes
```
For more information about the createLTPAKeys command, see createLTPAKeys.

To enable FIPS 140-2, complete the following steps.

Note:

The FIPS 140-2 certification for IBM SDK 8 expired and is no longer compliant with NIST security standards.
To maintain compliance and adhere to the latest security requirements, enable FIPS 140-3.
For more information about the FIPS 140-2 certification, see IBM JCE FIPS 140-2 Cryptographic Module Security Policy

In the jvm.options file, set the correct system properties to enable FIPS mode for the IBMJSSE2 provider.
For the FIPS140-2 standard, set the com.ibm.jsse2.usefipsprovider system property to true. You must also to set the com.ibm.jsse2.usefipsProviderName property to specify a validated FIPS provider.
In the following jvm.options file example, this property specifies IBMJCEPlusFIPS as the FIPS provider:
```
-Dcom.ibm.jsse2.usefipsprovider=true
-Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
```
In the following jvm.options file example, this property specifies IBMJCEFIPS as the FIPS provider since IBMJCEPlusFIPS is not supported. For more information, see FIPS 140-3:
```
-Dcom.ibm.jsse2.usefipsprovider=true
-Dcom.ibm.jsse2.usefipsProviderName=IBMJCEFIPS
-Djava.security.properties=${server.config.dir}/java.security
```
For more information about how to set system properties in the jvm.options file, see Customizing the Liberty environment.
Add a Java™ Cryptography Extension (JCE) FIPS security provider to the provider list in the java.security file.
The java.security file is located in the ${JAVA_HOME}/jre/lib/security directory. By default, this file does not include a FIPS security provider. Security providers are listed in the file by order of preference, as specified by the security provider number.

For more information about JCE security provider options, see the IBM SDK, Java Technology Edition 8: Security guide.
In the following java.security file example, the com.ibm.jsse2.IBMJSSEProvider2 security provider is specified as the highest priority security provider:
```
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.3=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.4=com.ibm.crypto.provider.IBMJCE
...
```
In the following java.security file example, the com.ibm.jsse2.IBMJSSEProvider2 security provider is specified as the highest priority security provider:
```
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.4=com.ibm.crypto.fips.provider.IBMJCEFIPS

jdk.tls.disabledAlgorithms=RSASSA-PSS, PSS, RSAPSS, RSA-PSS, RSA_PSS_RSAE_SHA256, RSA_PSS_RSAE, RSA_PSS_SHA256,....
```
For this example, add the IBMJCEFIPS provider to your customized ${server.config.dir}/java.security file. Copy the jdk.tls.disabledAlgorithms value from the ${JAVA_HOME}/jre/lib/security/java.security file and append the RSASSA-PSS, PSS, RSAPSS, RSA-PSS, RSA_PSS_RSAE_SHA256, RSA_PSS_RSAE, RSA_PSS_SHA256 values to it.

What to do next

When you use FIPS 140-3, make sure that the LTPA keys that are created use FIPS 140-3 approved algorithms. For more information about LTPA, see Configuring LTPA in Liberty.