WebSphere Application Server security standards configurations
WebSphere® Application Server can be configured to work with various security standards, which are typically used to meet security requirements that are required by the government.
WebSphere Application Server integrates cryptographic modules, which include Java Secure Socket Extension (JSSE) and Java Cryptography Extension (JCE). Most of the requirements in the standards are handled in the JSSE and JCE, which must undergo the certification process to meet government standards. WebSphere Application Server must be configured to run with the JSSE and JCE enabled for a particular standard, and now supports the FIPS 140-2, SP800-131 and Suite B security standards.
- FIPS 140-2 are Federal Information Processing Standards (FIPS) that specify requirements
on cryptographic modules. Many users can be configured to use this level, but might be required to
move up to the newer SP800-131 or Suite B standard.
See the National Institute of Standards and Technology website for more information about the 140-2 standard.
To configure FIPS 140-2, see the topic Configuring Federal Information Processing Standard Java Secure Socket Extension files.
- SP800-131 is a requirement originated by the National Institute of Standards and
Technology (NIST) which requires longer key lengths and stronger cryptography. The specification
also provides a transition configuration to enable users to move to a strict enforcement of
SP800-131. The transition configuration also enables users to run with a mixture of settings from
both FIPS140-2 and SP800-131. SP800-131 can be run in two modes,
transition
andstrict
.Strict enforcement of SP800-131 requirements on WebSphere Application server includes the following requirements:- The use of the TLSv1.2 protocol for the Secure Sockets Layer (SSL) context.
- Certificates must have a minimum length of 2048. Elliptical Curve (EC) certificate require a minimum size of 244-bit curves.
- Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid
signatureAlgorithms include the following signatures:
- SHA256withRSA
- SHA384withRSA
- SHA512withRSA
- SHA256withECDSA
- SHA384withECDSA
- SHA512withECDSA
- SP800-131 approved Cipher suites
See the National Institute of Standards and Technology website for more details about the SP800-131 standard.
See the topic Transitioning WebSphere Application Server to the SP800-131 security standard for information on how to transition WebSphere Application Server to the SP800-131 strict standard. See the topic Configuring WebSphere Application Server for SP800-131 standard strict mode for information on how to configure SP800-131.
- Suite B is a requirement that is originated by the National Security
Agency (NSA) to specify a cryptographic interoperability strategy. This standard is similar to
SP800-131 with some tighter restrictions. Suite B can run in two modes: 128-bit or 192-bit. The
restricted policy file provides encryption for the 128-bit mode, and it is applied by default. If
you are using 192-bit mode, you must apply the unrestricted policy file to the JDK so that the
stronger cipher required for the 192-bit mode can be used.
The following table lists the maximum key sizes that the restricted policy file allows for IBMJCE and IBMJCECCA algorithms. Users who require stronger encryption must use the unrestricted policy file.
Table 1. Restricted policy file values Algorithm Maximum key size in bits DES 64 DESede 96 RC2 128 RC4 128 RC5 128 RSA 2048 All other algorithms 128 To apply the unrestricted policy files, copy the US_export_policy.jar and the local_policy.jar files from the WAS_HOME/java/J5.0/lib/security directory to the WAS_HOME/java/J5.0/demo/jce/policy-files/unrestricted directory.
Suite B requirements on WebSphere Application Server include:- The use of the TLSv1.2 protocol for the SSL Context
- Suite B approved Cipher suites
- Certificates:
- 128 bit mode certificates must be signed with SHA256withECDSA
- 192 bit mode certificates must be signed with SHA384withECDSA
- Ciphers:
- SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
See the topic Configuring WebSphere Application Server for the Suite B security standard for information about how to configure Suite B.
Properties used to enable the Security Standards
The IBM® virtual machine for Java™ (JVM) runs in a given security mode that is based on system properties. WebSphere Application Server sets these system properties that are based on security configuration settings. The security configuration can be set up through the administrative console or through scripting admin tasks. If an application sets these properties directly, it can affect WebSphere Application Server SSL communication.
Security standard | System property to enable | Valid values |
---|---|---|
FIPS 140-2 | com.ibm.jsse2.usefipsprovider | true or false |
SP800-131 | com.ibm.jsse2.sp800-131 | transition or strict |
Suite B | com.ibm.jsse2.suiteb | 128 or 192 |
WebSphere Application Server configuration clears out all of these properties if they are set, then sets them to how the security configuration is specified. WebSphere Application Server enables the security standard that is based on the custom properties set in the security configuration.
WebSphere Application Server security custom properties to enable the security standard
Security standard | Security custom properties | JVM system property |
---|---|---|
FIPS 140-2 |
com.ibm.security.useFips=true
com.ibm.websphere.security.FIPSLevel=FIPS140-2 |
com.ibm.jsse2.usefipsprovider=true |
SP800-131- transition |
com.ibm.security.useFips=true
com.ibm.websphere.security.FIPSLevel=transition |
com.ibm.jsse2.sp800-131=transition |
SP800-131 – strict |
com.ibm.security.useFips=true
com.ibm.websphere.security.FIPSLevel=SP800-131 |
com.ibm.jsse2.sp800-131=strict |
Suite b 128 |
com.ibm.security.useFips=true
com.ibm.websphere.security.suiteb=128 |
com.ibm.jsse2.suiteb=128 |
Suite b 192 |
com.ibm.security.useFips=true
com.ibm.websphere.security.suiteb=192 |
com.ibm.jsse2.suiteb=192 |