Why and when to perform this task
The Federal Information Processing Standard (FIPS)-approved Java Secure Socket Extension (JSSE) provider has increased data encryption capabilities. FIPS-approved JSEE providers support Data Encryption Standard (DES) or Triple DES with at least 56-bits of encryption. Although this additional encryption capability is available, you must use Transport Layer Security (TLS) and not Secure Sockets Layer (SSL) as FIPS-approved JSSE files are not backwards-compatible and SSL is not FIPS-approved. If the server uses TLS, a client using SSL cannot communicate with the server. Thus, use FIPS-approved JSSE providers if your servers and clients are using WebSphere Application Server, Version 5.0.2 or later as this version supports FIPS.Note: The IBMJSSEFIPS and IBMJCEFIPS underwent FIPS 140-2 certification. For more information on the FIPS certification process, see the Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List Web site.
If you create your own encryption configurations and enable FIPS, you must add a FIPS-approved JSSE to all of your server and client configurations.To configure the WebSphere Application Server to use IBMJSSEFIPS and IBMJCEFIPS providers, complete the following steps using the administrative console:
Steps for this task
#com.ibm.ssl.protocol=SSL com.ibm.ssl.protocol=TLS
com.ibm.ssl.contextProvider=IBMJSSEFIPS com.ibm.ssl.protocol=TLS
ssl.SocketFactory.provider=com.ibm.fips.jsse.JSSESocketFactory com.ibm.ssl.contextProvider=IBMJSSEFIPS
Results
After completing these steps, a FIPS-approved JSSE provides increased encryption capabilities. However, when you use FIPS-approved providers, consider the following points:ssl.SocketFactory.provider=com.ibm.fips.jsse.JSSESocketFactory com.ibm.ssl.contextProvider=IBMJSSEFIPS
Note: If you select USE FIPS on the Global Security panel and select an SSL configuration on the SSL Configuration Repertoires panel, the following error message is displayed at the top of the Global Security panel:
The security policy is set to use only FIPS-approved cryptographic algorithms. However at least one SSL configuration may not be using a FIPS-approved JSSE provider. FIPS-approved cryptographic algorithms may not be used in those cases.
Note: If you use the FIPS-approved JSSE provided with WebSphere Application Server, you must choose IBMJSSEFIPS from the Provider menu on the SSL Configuration Repertoires panel. Otherwise, the following message is displayed at the top of the panel:
"Use FIPS" is enabled, but the SSL provider is not IBMJSSEFIPS. FIPS approved cryptographic algorithms may not be used.