Configuring WebSphere eXtreme Scale to use FIPS 140-2

Federal Information Processing Standard (FIPS) 140-2 specifies required levels of encryption for Transport Layer Security/Secure Sockets Layer (TLS/SSL). This standard ensures high protection of data as it is sent over the wire.

Before you begin

About this task

You can use the following steps to configure the catalog servers and container servers in your WebSphere eXtreme Scale stand-alone installation to use FIPS.

If you are using WebSphere eXtreme Scale integrated with WebSphere Application Server, the catalog servers and container servers inherit the security properties from the application server. For more information about configuring FIPS with WebSphere Application Server, see Configuring Federal Information Processing Standard Java Secure Socket Extension files. When a catalog server runs in WebSphere Application Server, some of the communication is controlled by the server.properties file. Update the server.properties file to contain the same properties that are required for stand-alone catalog servers.

Procedure

  1. Edit the java.security file. The location of the java.security depends on your Java virtual machine (JVM) configuration:
    • If you are using the default JVM that ships with the product, the file is in the wxs_install_root/java/jre/lib/security directory.
    • If you are using a different JVM, edit the file in the java_home/jre/lib/security directory.
    The file must contain the following text:
    security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.3=com.ibm.crypto.provider.IBMJCE
    security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.5=com.ibm.security.cert.IBMCertPath
    security.provider.6=com.ibm.security.sasl.IBMSASL
    security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.9=org.apache.harmony.security.provider.PolicyProvider
    security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
  2. Edit the server properties files for the catalog server and container servers.
    These files must contain the following properties and values:
    contextProvider=IBMJSSE2
    transportType=SSL-Required
    For more information about server properties, see Server properties file.
  3. Configure key pairs that use the RSA key generation algorithm in the key ring for the catalog server and container servers. The minimum key length is 1024 bits.
  4. Restart your catalog and container servers.
    When you start the catalog servers, you must specify Java virtual machine (JVM) arguments. The arguments you use depend on which version of Java SE you are using.
    • For Java 5 and Java 6 up to SR 9, specify the -Dcom.ibm.jsse2.JSSEFIPS=true argument when you start the server.
    • For Java 6 SR 10 and later, or Java 7, specify the -Dcom.ibm.jsse2.usefipsprovider=true argument when you start the server.
    For more information, see Starting and stopping secure servers.