[Version 5.0.2 and later]Configuring Federal Information Processing Standard Java Secure Socket Extension files

Why and when to perform this task

The Federal Information Processing Standard (FIPS)-approved Java Secure Socket Extension (JSSE) provider has increased data encryption capabilities. FIPS-approved JSEE providers support Data Encryption Standard (DES) or Triple DES with at least 56-bits of encryption. Although this additional encryption capability is available, you must use Transport Layer Security (TLS) and not Secure Sockets Layer (SSL) as FIPS-approved JSSE files are not backwards-compatible and SSL is not FIPS-approved. If the server uses TLS, a client using SSL cannot communicate with the server. Thus, use FIPS-approved JSSE providers if your servers and clients are using WebSphere Application Server, Version 5.0.2 or later as this version supports FIPS.

Note: The IBMJSSEFIPS and IBMJCEFIPS underwent FIPS 140-2 certification. For more information on the FIPS certification process, see the Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List Web site.

If you create your own encryption configurations and enable FIPS, you must add a FIPS-approved JSSE to all of your server and client configurations.

To configure the WebSphere Application Server to use IBMJSSEFIPS and IBMJCEFIPS providers, complete the following steps using the administrative console:

Steps for this task

  1. Click Security > Global Security.
  2. Select the Use FIPS check box and click OK.
    IBMJCEFIPS is enabled. However, IBMJSSEFIPS is not configured until you complete the remaining steps.
  3. Click Security > SSL.
  4. Click the name of your SSL configuration or click New to create a new configuration.
    For more information on SSL configurations, see Creating a Secure Sockets Layer repertoire configuration entry.
  5. Select High from the Security Level menu.
    This action sets the encryption strength to 56-bits and higher.
  6. Indicate which JSSE FIPS provider to use.
    Do one of the following actions:
    • Select IBMJSSEFIPS from the Provider menu and select Predefined JSSE provider. For a list of providers that were previously configured, click Custom Properties under Additional Properties.
    • Type the name of your custom JSSE FIPS provider and select Custom JSSE provider. To create a custom JSSE FIPS provider, click Custom Properties > New under Additional Properties. After configuring your custom FIPS-approved provider, return to the SSL Configuration Repertoires panel for your SSL configuration and enter the name in the Provider field.
  7. Select the TLS or TLSV1 option from the Protocol menu.
    To use a FIPS-approved JSSE, you must choose either the TLS or TLSV1 option. SSL protocol is not FIPS-approved. After you select the protocol, the corresponding custom property value is updated for com.ibm.ssl.protocol. You can view this updated property value under Custom Properties after you click Apply or OK.
  8. Click OK.
  9. If you have a Java client that must access enterprise beans, modify the install_dir>/properties/sas.client.props file to comment out the SSL protocol and add the Transport Layer Security (TLS) protocol.
    To change the protocol to TLS, make the following changes to the install_dir>/properties/sas.client.props file:
    #com.ibm.ssl.protocol=SSL
    com.ibm.ssl.protocol=TLS
  10. If the server uses a FIPS-approved provider for the CSIv2/SAS protocol, add IBMJSSEFIPS as the contextProvider and TLS as the protocol to the install_dir/properties/sas.client.props file on the application client.
    In the install_dir/properties/sas.client.props file, add the following information:
    com.ibm.ssl.contextProvider=IBMJSSEFIPS
    com.ibm.ssl.protocol=TLS
  11. If the server-side SOAP connector configuration uses a FIPS-approved IBMJSSEFIPS provider, add com.ibm.fips.jsse.JSSESocketFactory as the provider and IBMJSSEFIPS as the contextProvider in the install_dir/properties/soap.client.props file on the administrative client.
    In the install_dir/properties/soap.client.props file, add the following information:
    ssl.SocketFactory.provider=com.ibm.fips.jsse.JSSESocketFactory
    com.ibm.ssl.contextProvider=IBMJSSEFIPS
  12. Verify that a FIPS-approved configuration is specified correctly throughout the administrative console.
    Verify the configuration settings in the following panels:
    • Click Servers > Application Servers > server_name. Under Additional properties, click Administration Services > JMX Connectors > SOAPConnector > Custom Properties >sslConfig.
    • Click Servers > Application Servers > server_name. Under Additional properties, click Web Container > HTTP Transport.
    • Click Environment > Virtual Hosts > host_name. Under Additional properties, click Host Aliases > <alias_name>.
    • Click Applications > Enterprise Applications > application_name. Under Additional properties, click Map virtual hosts for web modules.
    • Click Security > User Registries > LDAP.
    • Click Enterprise Applications > application_name. Under Related Items, click Web Module > URI_file_name > Web Services: Client Security Bindings. Verify the configuration settings listed under HTTP Basic Authentication and HTTP SSL Authentication.

Results

After completing these steps, a FIPS-approved JSSE provides increased encryption capabilities. However, when you use FIPS-approved providers, consider the following points:

Note: If you select USE FIPS on the Global Security panel and select an SSL configuration on the SSL Configuration Repertoires panel, the following error message is displayed at the top of the Global Security panel:

The security policy is set to use only FIPS-approved cryptographic
algorithms. However at least one SSL configuration may not be using a 
FIPS-approved JSSE provider. FIPS-approved cryptographic algorithms 
may not be used in those cases.

Note: If you use the FIPS-approved JSSE provided with WebSphere Application Server, you must choose IBMJSSEFIPS from the Provider menu on the SSL Configuration Repertoires panel. Otherwise, the following message is displayed at the top of the panel:

"Use FIPS" is enabled, but the SSL provider is not IBMJSSEFIPS. 
FIPS approved cryptographic algorithms may not be used.


Related tasks
Configuring Secure Sockets Layer
Related reference
Global security settings
Related topics
Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List



Searchable topic ID:   tsec_fips
Last updated: Jun 21, 2007 4:55:42 PM CDT    WebSphere Application Server Network Deployment, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_fips.html

Library | Support | Terms of Use | Feedback