Configuring for FIPS 140-2 compliance

Federal Information Processing Standard (FIPS) compliance and certification are required when working in a US government environment. Compliance and certification are achieved through rigorous testing of the cryptographic modules or providers. DBB achieves compliance by using existing cryptographic modules that have met the rigorous testing requirements. The following information can be used to configure the Dependency Based Build server and toolkit for FIPS compliance.

NOTE: this information assumes that you are using an IBM Java Runtime Environment (JRE) in your server and toolkit environments. The IBM JRE includes the IBMJCEFIPS provider that has received certification for FIPS compliance. Some of the information may be different if you are using a different JRE or a different FIPS compliant module.

Configuration summary

To configure FIPS one must modify the JRE java.security file to include definitions for default socket factories and cryptography package providers. One must also define a system property, com.ibm.jsse2.usefipsprovider=true, when starting the JVM.

The java.security file defines security settings for your Java runtime environment. The JRE requires that the file is placed in $JAVA_HOME/lib/security. Your Java installation should include a default java.security.

For FIPS, ssl.SocketFactory.provider and ssl.ServerSocketFactory.provider must be defined or updated in the java.security file to use the JSSE2 runtime environment.

ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl 
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl

Also, the cryptography package provider list must be modified using the security.provider.n properties where n is the preference order. The IBMJCEFIPS provider should go before other providers.

security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

DBB configuration

DBB provides an override java.security file with the above definitions that can be used instead of modifying the default java.security file. This is useful when you are using a common JRE with other products or access to the default java.security file is restricted. Provide the system property, java.security.properties, when starting your JVM to use the override java.security file.

NOTE: to use an override java.security file, the default java.security file must contain security.overridePropertiesFile=true.

DBB toolkit

The DBB toolkit includes /usr/lpp/IBM/dbb/conf/dbb.java.security override file for the default configuration for enabling FIPS in the toolkit. To use, include java.security.properties and com.ibm.jsse2.usefipsprovider as JVM options on either the command line or in your Jenkins build definition.

-Djava.security.properties=$DBB_CONF/dbb.java.security 
-Dcom.ibm.jsse2.usefipsprovider=true

DBB server

The DBB server includes wlp/usr/servers/dbb/dbb.java.security override file for the default configuration for enabling FIPS in the server. To use, edit the wlp/usr/servers/dbb/jvm.options and uncomment the following two lines by removing the pound (#) signs.

#-Djava.security.properties=dbb.java.security
#-Dcom.ibm.jsse2.usefipsprovider=true