Configuring Federal Information Processing Standard Java Secure Socket Extension files
Use this topic to configure Federal Information Processing Standard Java Secure Socket Extension files.
About this task
WebSphere Application Server provides a FIPS-approved IBMJCEFIPS provider that IBMJSSE2 can use.
WebSphere Application Server provides a FIPS-approved IBMJCEPlusFIPS provider that IBMJSSE2 can use.
In versions before 8.5.5.23, WebSphere Application Server provides a FIPS-approved IBMJCEFIPS provider that IBMJSSE2 can use.
When enabling the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management pane, the runtime always uses IBMJSSE2, despite the contextProvider that you specify for SSL (IBMJSSE or IBMJSSE2S). FIPS requires TLS 1.2 as the SSL protocol, the runtime always uses TLSv1.2 when FIPS is enabled, regardless of the SSL/TLS protocol setting in the SSL repertoire. This simplifies the FIPS configuration in WebSphere Application Server because an administrator needs to enable only the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management pane to enable all transports using SSL.
Procedure
What to do next
- A browser might not have TLS 1.2 enabled by default. Check the browser settings to ensure that it is set to use TLS 1.2.
- When you select the Use the Federal Information Processing Standard (FIPS) option on the SSL certificate and key management pane, the Lightweight Third-Party Authentication (LTPA) token format is not compatible with an earlier versions of WebSphere Application Server. However, you can import the LTPA keys from a previous version of the application server.
-
Note: The current WebSphere Application Server limitation is that the key length in secret keys is not evaluated for FIPS sp800-131a compliance. If secret keys are in the keystore, then check the key length by using iKeyman in the {WebSphere_install_dir}\java\jre\bin directory or by using other keystore tools.
ADMU3007E: Exception com.ibm.websphere.management.exception.ConnectorExceptionUncomment the following entry in the java.security file if it was previously removed or commented out, then restart the server:
security.provider.2=com.ibm.crypto.provider.IBMJCE
- IBMJCEFIPS (certificate 376)
- IBMJCEPlusFIPS (certificate 376)
- In versions before 8.5.5.23, IBMJCEFIPS (certificate 376)
- IBM Cryptography for C (IBM Content Collector) (certificate 384)
- In the ssl.client.props file, you must change the com.ibm.security.useFIPS value to false.
- In the java.security file, you must change the FIPS provider to a non-FIPS
provider.If you are using the IBM SDK java.security file, you must change the first provider to a non-FIPS provider as shown in the following example.
#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.1=com.ibm.crypto.provider.IBMJCE security.provider.2=com.ibm.jsse.IBMJSSEProvider security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl security.provider.7=com.ibm.security.cmskeystore.CMSProvider security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.9=com.ibm.security.sasl.IBMSASL security.provider.10=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.11=com.ibm.xml.enc.IBMXMLEncProvider security.provider.12=org.apache.harmony.security.provider.PolicyProvider
#security.provider.1=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS security.provider.1=com.ibm.crypto.provider.IBMJCE security.provider.2=com.ibm.jsse.IBMJSSEProvider security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl security.provider.7=com.ibm.security.cmskeystore.CMSProvider security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.9=com.ibm.security.sasl.IBMSASL security.provider.10=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.11=com.ibm.xml.enc.IBMXMLEncProvider security.provider.12=org.apache.harmony.security.provider.PolicyProvider
In versions before 8.5.5.23, use the following example.#security.provider.1=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS security.provider.1=com.ibm.crypto.provider.IBMJCE security.provider.2=com.ibm.jsse.IBMJSSEProvider security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.i5os.jsse.JSSEProvider security.provider.7=com.ibm.crypto.pkcs11.provider.IBMPKCS11 security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.9=com.ibm.security.cmskeystore.CMSProvider security.provider.10=com.ibm.security.sasl.IBMSASL security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider security.provider.13=org.apache.harmony.security.provider.PolicyProvider
#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.1=com.ibm.crypto.provider.IBMJCE security.provider.2=com.ibm.jsse.IBMJSSEProvider security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl security.provider.7=com.ibm.security.cmskeystore.CMSProvider security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.9=com.ibm.security.sasl.IBMSASL security.provider.10=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.11=com.ibm.xml.enc.IBMXMLEncProvider security.provider.12=org.apache.harmony.security.provider.PolicyProvider
#security.provider.1=com.ibm.crypto.plus.provider.IBMJCEFIPS security.provider.1=com.ibm.crypto.provider.IBMJCE security.provider.2=com.ibm.jsse.IBMJSSEProvider security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.i5os.jsse.JSSEProvider security.provider.7=com.ibm.crypto.pkcs11.provider.IBMPKCS11 security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.9=com.ibm.security.cmskeystore.CMSProvider security.provider.10=com.ibm.security.sasl.IBMSASL security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider security.provider.13=org.apache.harmony.security.provider.PolicyProvider
If you are using the Oracle JDK java.security file, you must change the second provider to a non-FIPS provider as shown in the following example.
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 #security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlus security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.security.sasl.IBMSASL security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.10=sun.security.provider.Sun
In versions before 8.5.5.23, change the second provider to a non-FIPS provider as shown in the following example.
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 #security.provider.2=com.ibm.crypto.plus.provider.IBMJCEFIPS security.provider.2=com.ibm.crypto.provider.IBMJCEPlus security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.security.sasl.IBMSASL security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.9=sun.security.provider.Sun
- Reduce the cipher suite level to Medium, if your cipher suite level is currently Strong.Note: You can change the cipher suite level for different levels of your environment such as the node or server level. Limit the change to the level of your environment where the change is necessary.
To change the cipher suite, see the cipher suite groups information within the quality of protection settings documentation. If you change the cipher suite level to Medium, save and synchronize the changes. If Global Security is enabled and the Dynamically update the run time when SSL configuration changes occur option is selected, you do not need to restart the server. However, if the option is not selected, you must restart the server for the changes to be effective. The Dynamically update the run time when SSL configuration changes occur option is available within the administrative console on the SSL certificate and key management panel. To access the pane, click .
- Install security level 3 FMID JCPT3A1 for the z/OS®
operating systems.
Security Level 3 FMID JCPT3A1 is the z/OS operating system implementation of the FIPS 140-2 approved cryptographic providers.