Configuring Federal Information Processing Standard Java Secure Socket Extension files
Use this topic to configure Federal Information Processing Standard Java™ Secure Socket Extension files.
About this task
WebSphere Application Server provides a FIPS-approved IBMJCEPlusFIPS provider that IBMJSSE2 can use.
In versions before 9.0.5.15, WebSphere Application Server provides a FIPS-approved IBMJCEFIPS provider that IBMJSSE2 can use.
When enabling the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management pane, the runtime always uses IBMJSSE2, despite the contextProvider that you specify for SSL (IBMJSSE or IBMJSSE2S). FIPS requires TLS 1.2 as the SSL protocol, the runtime always uses TLSv1.2 when FIPS is enabled, regardless of the SSL/TLS protocol setting in the SSL repertoire. This simplifies the FIPS configuration in WebSphere Application Server Version 9.0 because an administrator needs to enable only the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management pane to enable all transports using SSL.
Procedure
What to do next
- By default, Microsoft Internet Explorer might not
have TLS 1.2 enabled. To enable TLS 1.2, open the Internet Explorer browser and click
Note: Netscape Version 4.7.x and earlier versions might not support TLS.
. On the Advanced tab,
select the Use TLS 1.2 option.
- When you select the Use the Federal Information Processing Standard (FIPS) option on the SSL certificate and key management pane, the Lightweight Third-Party Authentication (LTPA) token format is not compatible with an earlier version of WebSphere Application Server. However, you can import the LTPA keys from a previous version of the application server.
-
Note: The current WebSphere Application Server limitation is that the key length in secret keys is not evaluated for FIPS sp800-131a compliance. If secret keys are in the keystore, then check the key length by using iKeyman in the {WebSphere_install_dir}\java\jre\bin directory or by using other keystore tools.
ADMU3007E: Exception com.ibm.websphere.management.exception.ConnectorExceptionUncomment the following entry in the java.security file if it was previously removed or commented out, then restart the server:
security.provider.2=com.ibm.crypto.provider.IBMJCE
- IBMJCEPlusFIPS (certificate 376)
- In versions before 9.0.5.15, IBMJCEFIPS (certificate 376)
- IBM Cryptography for C (IBM Content Collector) (certificate 384)
- In the ssl.client.props file, you must change the com.ibm.security.useFIPS value to false.
- In the java.security file, you must change the FIPS provider to a non-FIPS
provider.If you are using the IBM SDK java.security file, you must change the first provider to a non-FIPS provider as shown in the following example.
#security.provider.1=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS security.provider.1=com.ibm.crypto.provider.IBMJCE security.provider.2=com.ibm.jsse.IBMJSSEProvider security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl security.provider.7=com.ibm.security.cmskeystore.CMSProvider security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.9=com.ibm.security.sasl.IBMSASL security.provider.10=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.11=com.ibm.xml.enc.IBMXMLEncProvider security.provider.12=org.apache.harmony.security.provider.PolicyProvider
In versions before 9.0.5.15, use the following example.#security.provider.1=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS security.provider.1=com.ibm.crypto.provider.IBMJCE security.provider.2=com.ibm.jsse.IBMJSSEProvider security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.i5os.jsse.JSSEProvider security.provider.7=com.ibm.crypto.pkcs11.provider.IBMPKCS11 security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.9=com.ibm.security.cmskeystore.CMSProvider security.provider.10=com.ibm.security.sasl.IBMSASL security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider security.provider.13=org.apache.harmony.security.provider.PolicyProvider
#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.1=com.ibm.crypto.provider.IBMJCE security.provider.2=com.ibm.jsse.IBMJSSEProvider security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl security.provider.7=com.ibm.security.cmskeystore.CMSProvider security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.9=com.ibm.security.sasl.IBMSASL security.provider.10=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.11=com.ibm.xml.enc.IBMXMLEncProvider security.provider.12=org.apache.harmony.security.provider.PolicyProvider
#security.provider.1=com.ibm.crypto.plus.provider.IBMJCEFIPS security.provider.1=com.ibm.crypto.provider.IBMJCE security.provider.2=com.ibm.jsse.IBMJSSEProvider security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.i5os.jsse.JSSEProvider security.provider.7=com.ibm.crypto.pkcs11.provider.IBMPKCS11 security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.9=com.ibm.security.cmskeystore.CMSProvider security.provider.10=com.ibm.security.sasl.IBMSASL security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider security.provider.13=org.apache.harmony.security.provider.PolicyProvider
If you are using the Oracle Java SE Development Kit java.security file, you must change the second provider to a non-FIPS provider as shown in the following example.
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 #security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlus security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.security.sasl.IBMSASL security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.10=sun.security.provider.Sun
In versions before 9.0.5.15, change the second provider to a non-FIPS provider as shown in the following example.
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 #security.provider.2=com.ibm.crypto.plus.provider.IBMJCEFIPS security.provider.2=com.ibm.crypto.provider.IBMJCEPlus security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.security.sasl.IBMSASL security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.9=sun.security.provider.Sun