Troubleshooting FIPS 140-3 on Liberty

You might encounter exceptions when using FIPS 140-3 and FIPS 140-3 approved algorithms in Liberty. Determine the cause of an exception and update the code to use FIPS 140-3 approved algorithms, or add the algorithm to the constraints in your custom profile file if needed.

If you are using SHA-1, you might see the following error or similar if FIPS 140-3 is enabled with IBM Semeru Runtimes

java.security.NoSuchAlgorithmException: SHA-1 MessageDigest not available
	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
	at java.base/java.security.MessageDigest.getInstance(MessageDigest.java:185)
	at com.ibm.ws.wsoc.util.Utils.makeAcceptResponseHeaderValue(Utils.java:470)
	at com.ibm.ws.wsoc.HandshakeProcessor.makeAcceptResponseHeaderValue(HandshakeProcessor.java:440)
	at com.ibm.ws.wsoc.HandshakeProcessor.addResponseHeaders(HandshakeProcessor.java:237)
	at com.ibm.ws.wsoc.external.WsocHandlerImpl.handleRequest(WsocHandlerImpl.java:300)
	at com.ibm.ws.wsoc.external.WsocHandlerImpl.handleRequest(WsocHandlerImpl.java:161)
	at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1283)
	at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:5096)
	at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:328)
	at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1047)
	at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:293)
	at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:1563)
	at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:761)
	at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:625)
	at com.ibm.ws.http.netty.pipeline.inbound.HttpDispatcherHandler.newRequest(HttpDispatcherHandler.java:255)
	at com.ibm.ws.http.netty.pipeline.inbound.HttpDispatcherHandler$1.run(HttpDispatcherHandler.java:85)
	at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:344)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:853)

This error occurs because the Semeru Runtime FIPS 140-3 enforcement of cryptographic algorithms does not distinguish between the usage of the algorithms. SHA-1 is no longer considered secure for cryptographic operations. However, you can still use SHA-1 for noncryptographic operations. If the SHA-1 usage is not for cryptographic purposes, you can add the SHA-1 hash function to the custom profile file as an allowed constraint.

In the following example, the message digest SHA-1 hash exception is added to the custom profile file as an allowed constraint.

RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty-Application.jce.provider.2 = sun.security.provider.Sun [+ \
    {MessageDigest, SHA-1, *, FullClassName:com.ibm.ws.wsoc.util.Utils}]

If you are using Oracle JDBC, you might see the following error or similar if FIPS 140-3 is enabled with IBM Semeru Runtimes

Caused by: java.sql.SQLException: ORA-01005: Login denied due to invalid password.

https://docs.oracle.com/error-help/db/ora-01005/ DSRA0010E: SQL State = 72000, Error Code = 1,005
	at oracle.jdbc.driver.T4CTTIoer11.processError(T4CTTIoer11.java:709)
	at oracle.jdbc.driver.T4CTTIoer11.processError(T4CTTIoer11.java:604)
	at oracle.jdbc.driver.T4CTTIoer11.processError(T4CTTIoer11.java:599)
	at oracle.jdbc.driver.T4CTTIfun.processError(T4CTTIfun.java:1807)
	at oracle.jdbc.driver.T4CTTIoauthenticate.processError(T4CTTIoauthenticate.java:903)
	at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:1101)
	at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:409)
	at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:530)
	at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTHWithO5Logon(T4CTTIoauthenticate.java:1712)
	at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:1459)
	at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:1399)
	at oracle.jdbc.driver.T4CConnection.authenticateWithPassword(T4CConnection.java:2032)
	at oracle.jdbc.driver.T4CConnection.authenticateUserForLogon(T4CConnection.java:1971)
	at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:1072)
	at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:1147)
	at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:105)
	at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:886)
	at oracle.jdbc.datasource.impl.OracleDataSource.getPhysicalConnection(OracleDataSource.java:700)
	at oracle.jdbc.xa.client.OracleXADataSource.getPooledConnection(OracleXADataSource.java:631)
	at oracle.jdbc.xa.client.OracleXADataSource.getXAConnection(OracleXADataSource.java:225)
	at oracle.jdbc.xa.client.OracleXADataSource.getXAConnectionInternal(OracleXADataSource.java:268)
	at oracle.jdbc.xa.client.OracleXADataSource.getXAConnection(OracleXADataSource.java:166)
	at oracle.jdbc.xa.client.OracleXADataSource.getXAConnection(OracleXADataSource.java:138)
	at com.ibm.ws.rsadapter.impl.DatabaseHelper$1.run(DatabaseHelper.java:1509)
	at com.ibm.ws.rsadapter.impl.DatabaseHelper$1.run(DatabaseHelper.java:1502)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:787)
	at java.base/java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:843)
	at com.ibm.ws.rsadapter.impl.DatabaseHelper.getPooledConnection(DatabaseHelper.java:1502)
	at com.ibm.ws.rsadapter.impl.OracleHelper.getPooledConnection(OracleHelper.java:781)
	at com.ibm.ws.rsadapter.impl.WSManagedConnectionFactoryImpl.getConnection(WSManagedConnectionFactoryImpl.java:857)

In the following example, the com.ibm.crypto.plus.provider.OpenJCEPlus provider is registered and constraints are added to the custom profile file to work with Oracle JDBC.

RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty-Application.jce.provider.51 = com.ibm.crypto.plus.provider.OpenJCEPlus [ \
  {SecretKeyFactory, PBKDF2WithHmacSHA512, *, FullClassName:oracle.jdbc.driver.OracleDriver}, \
  {MessageDigest, SHA-1, *, FullClassName:oracle.jdbc.driver.OracleDriver}]

If you are using Kerberos, you might see the following error or similar if FIPS 140-3 is enabled with IBM Semeru Runtimes

Caused by: javax.security.auth.login.LoginException: Algorithm HmacSHA1 not available
	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:785)
Caused by: KrbException: Algorithm HmacSHA1 not available
	at java.security.jgss/sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.encrypt(Aes256CtsHmacSha1EType.java:85)

Caused by: KrbException: Cannot find any provider supporting AES/CTS/NoPadding
	at java.security.jgss/sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.encrypt(Aes128CtsHmacSha1EType.java:85)

In the following example, support for the Ciphertext Stealing mode was added to the custom profile file.

RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty-Application.jce.provider.2 = sun.security.provider.Sun [+ \
    {MessageDigest, SHA-1, *, ModuleAndFullClassName:java.base/com.sun.crypto.provider.HmacSHA1}]
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty-Application.jce.provider.4 = com.sun.crypto.provider.SunJCE [+ \
    {Cipher, AES, *, ModuleAndFullClassName:openjceplus/com.ibm.crypto.plus.provider.AESCipher}, \
    {Cipher, AES, *, ModuleAndFullClassName:java.security.jgss/sun.security.krb5.internal.crypto.Aes128CtsHmacSha2EType}, \
    {Cipher, AES, *, ModuleAndFullClassName:java.security.jgss/sun.security.krb5.internal.crypto.Aes256CtsHmacSha2EType}, \
    {Cipher, AES, *, ModuleAndFullClassName:java.security.jgss/sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType}, \
    {Cipher, AES, *, ModuleAndFullClassName:java.security.jgss/sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType}, \
    {Mac, HmacSHA1, *, ModuleAndFullClassName:java.security.jgss/sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType}, \
    {Cipher, HmacSHA1, *, ModuleAndFullClassName:java.security.jgss/sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType}]

For IBM Semeru Runtime for FIPS 140-3, in cases where it is difficult to determine the missing algorithm, add the following JVM option in the jvm.options file to enable detailed logging.

-Xdump:stack:events=throw+systhrow+catch

To enable debugging for IBM Semeru Runtime for FIPS 140-3, set the following JVM option in the jvm.options file.

-Djava.security.debug=semerufips