FIPSCommands command group for the AdminTask object

You can use the Jython or Jacl scripting languages to configure Federal Information Processing Standards (FIPS) with the wsadmin tool.

FIPSCommands command group for the AdminTask object includes the following commands:

enableFips

The enableFips command enables or disables a specified security level.

Target object

None.

Required parameters

-enableFips
If this flag is set to true , FIPS is enabled at the security level specified by other parameters . If the flag is set to false, FIPS is disabled and other parameters are ignored. The value of this parameter is set to com.ibm.security.useFIPS security custom property. (Boolean required)

Optional parameters

-fipsLevel
Specifies the level of the security standard to use. (String, optional). There is no default value. Valid values include:
FIPS140-2
If this value is set, the system is configured to comply with Fips 140-2 mode.
transition
If this value is set, the system is configured to comply with SP800-131 transition mode.
SP800-131
If this value is set, the system is configured to comply with SP800-131 strict mode.

The value provided is set on the com.ibm.websphere.security.FIPSLevel security custom property.

Either fipsLevel or suiteBLevel must be specified.

-suiteBLevel
Specifies the level of the suiteBLevel. There is no default value. The value provided is set on the com.ibm.websphere.security.suiteb security custom property. (String, optional)
Valid values are:
  • 128 – if this value is set, system is configured to comply with Suite B 128.
  • 192 - if this value is set, system is configured to comply with Suite B 192.
-protocol
Sets the protocol for the Secure Sockets Layer (SSL) configuration. This parameter is used only when the -fipsLevel flag is set to transition. For other fipsLevels, SSL protocol is already defined by specification. Valid values for transition are: TLS, TLSv1.1 and TLSv1.2 . Note that the administrative console only shows TLS and TLSv1.2 as valid values. TLS1.1 can be specified on a command line. (String, optional)

Return values:

True (success) or false (fail). If false, a reason for the failure is logged in the System.Out.log.

Examples

getFipsInfo

The getFipsInfo command returns an attributeList with the FIPS setting. The settings are fipsEnabled, fipsLevel and suiteBLevel.

Target object

None.

Required parameters

None.

Return value:

The getFipsInfo command returns an attributeList with the FIPS setting. For example:If FIPS is disabled, then fipsLevel and suiteBLevel are empty strings. For example:
Table 1. Security mode and FIPS level .

The security mode and return values from getFipsInfo.

Security mode Return values from getFipsInfo
Fips not enabled

fipsEnabled=false
fipsLevel=(empty string)
suiteBLevel=(empty string)

FIPS140-2

ipsEnabled=true
fipsLevel=FIPS140-2
suiteBLevel=(empty string)

SP800-131 - Transition

fipsEnabled=true
fipsLevel=transition
suiteBLevel=(empty string)

SP800-131 - Strict

fipsEnabled=true
fipsLevel=SP800-131
suiteBLevel=(empty string)

Suite B 128

fipsEnabled=true
fipsLevel=(empty string)
suiteBLevel=128

Suite B 192

fipsEnabled=true
fipsLevel=(empty string)
suiteBLevel=192

Examples

listCertStatusForSecurityStandard

The listCertStatusForSecurityStandard command returns all certificates used by SSL configuration and plug-ins, and states whether they comply with the requested security level.

Target object

None.

Required parameters

None.

Optional parameters

-suiteBLevel
Enables or disables FIPS. There is no default value. When the flag is set to true, the com.ibm.security.useFips security custom property is set to true. If the flag is set to false, the com.ibm.security.useFips security custom property is set to false and the other flags are ignored. (String, optional)
-fipsLevel
Specifies the level of the security standard to use. (String, optional). There is no default value. Valid values include:
FIPS140-2
If this value is set, the system is configured to comply with Fips 140-2 mode.
transition
If this value is set, the system is configured to comply with SP800-131 transition mode.
SP800-131
If this value is set, the system is configured to comply with SP800-131 strict mode.

The value provided is set on the com.ibm.websphere.security.FIPSLevel security custom property.

Either fipsLevel or suiteBLevel must be specified.

-suiteBLevel
Specifies the level of the suiteBLevel. There is no default value. The value provided is set on the com.ibm.websphere.security.suiteb security custom property. (String, optional)
Valid values are:
  • 128 – if this value is set, system is configured to comply with Suite B 128.
  • 192 - if this value is set, system is configured to comply with Suite B 192.

Return value:

An attributeList list that has three keys : CAN_NOT_CONVERT, CAN_CONVERT, and MEET_SECURITY_LEVEL. For each key, a list of attributeList is returned. One attributeList contains certificate information: keystore, managementScope, alias and reason. For example:
{conversionStatus=CAN_NOT_CONVERT
   certificateInfo = { keystore = <keystore name>
                                     managementScope = <managementScope>
		                     alias = <certificate alias>
                                     reason = <reason why certificate can not be converted>
		                  } ...
{conversionStatus= CAN_CONVERT
  certificateInfo = { keystore = <keystore name>
                                    managementScope = <managementScope>
		                    alias = <certificate alias>
                                    reason = empty when certificate can be converted
                                  } ...
{conversionStatus=MEET_SECURITY_LEVEL
 certificateInfo = { keystore = <keystore name>
                                    managementScope = <managementScope>
		                    alias = <certificate alias>
                                    reason = empty when certificate already meets security level

Examples

convertCertForSecurityStandard

The convertCertForSecurityStandard command converts all certificates used by SSL configuration and plug-ins.

Target object

None.

Required parameters

None.

Optional parameters

-fipsLevel
Specifies the level of the security standard to use. (String, optional). There is no default value. Valid values include:
FIPS140-2
If this value is set, the system is configured to comply with Fips 140-2 mode.
transition
If this value is set, the system is configured to comply with SP800-131 transition mode.
SP800-131
If this value is set, the system is configured to comply with SP800-131 strict mode.

The value provided is set on the com.ibm.websphere.security.FIPSLevel security custom property.

Either fipsLevel or suiteBLevel must be specified.

-suiteBLevel
Specifies the level of the suiteBLevel. There is no default value. The value provided is set on the com.ibm.websphere.security.suiteb security custom property. (String, optional)
Valid values are:
  • 128 – if this value is set, system is configured to comply with Suite B 128.
  • 192 - if this value is set, system is configured to comply with Suite B 192.
-signatureAlgorithem
Checks if the signatureAlgorithm is compliant with FipsLevel and suiteB. If compliant, use signatureAlgorithm to convert certificates. If not, use a compliant signatureAlgorithm. (String, required)
-keySize
Checks if the keySize is compliant with FipsLevel and suiteB. If compliant, uses the keySize to convert certificates. If not, use the minimum value for the signatureAlgorithm.

Return value:

{conversionStatus=CAN_NOT_CONVERT
certificateInfo = {keystore = <keystore name>
                                    managementScope = <managementScope>
		                    alias = <certificate alias>
                                    reason = <reason why certificate can not be converted>
		              } ...
{conversionStatus=MEET_SECURITY_STANDARD
certificateInfo = {keystore = <keystore name>
                                    managementScope = <managementScope>
		                    alias = <certificate alias>
                                    reason = empty when certificate meets security standard.
                              } ...

Examples




Related tasks
Creating self-signed certificates using scripting
Adding a signer certificate to a keystore
Using the wsadmin scripting AdminTask object for scripted administration
Configuring security with scripting
Related reference
ManagementScopeCommands command group for the AdminTask object
Using wsadmin scripting with Jython
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Feb 5, 2014 9:49:51 PM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-mp&topic=rxml_fipscommands
File name: rxml_fipscommands.html