You can use the Jython or Jacl scripting languages to configure Federal Information Processing Standards (FIPS) with the wsadmin tool.
Target object
None.
Required parameters
Optional parameters
The value provided is set on the com.ibm.websphere.security.FIPSLevel security custom property.
Either fipsLevel or suiteBLevel must be specified.
Return values:
True (success) or false (fail). If false, a reason for the failure is logged in the System.Out.log.Examples
$AdminTask enableFips {-enableFips true -fipsLevel transition } true
The getFipsInfo command returns an attributeList with the FIPS setting. The settings are fipsEnabled, fipsLevel and suiteBLevel.
Target object
None.Required parameters
None.
Return value:
The getFipsInfo command returns an attributeList with the FIPS setting. For example:If FIPS is disabled, then fipsLevel and suiteBLevel are empty strings. For example:Security mode | Return values from getFipsInfo |
---|---|
Fips not enabled | fipsEnabled=false |
FIPS140-2 | ipsEnabled=true |
SP800-131 - Transition | fipsEnabled=true |
SP800-131 - Strict | fipsEnabled=true |
Suite B 128 | fipsEnabled=true |
Suite B 192 | fipsEnabled=true |
Examples
$AdminTask getFipsInfo {fipsEnabled true} {fipsLevel SP800-131} {suiteBLevel {}}
The listCertStatusForSecurityStandard command returns all certificates used by SSL configuration and plug-ins, and states whether they comply with the requested security level.
Target object
None.Required parameters
None.Optional parameters
The value provided is set on the com.ibm.websphere.security.FIPSLevel security custom property.
Either fipsLevel or suiteBLevel must be specified.
Return value:
An attributeList list that has three keys : CAN_NOT_CONVERT, CAN_CONVERT, and MEET_SECURITY_LEVEL. For each key, a list of attributeList is returned. One attributeList contains certificate information: keystore, managementScope, alias and reason. For example:{conversionStatus=CAN_NOT_CONVERT
certificateInfo = { keystore = <keystore name>
managementScope = <managementScope>
alias = <certificate alias>
reason = <reason why certificate can not be converted>
} ...
{conversionStatus= CAN_CONVERT
certificateInfo = { keystore = <keystore name>
managementScope = <managementScope>
alias = <certificate alias>
reason = empty when certificate can be converted
} ...
{conversionStatus=MEET_SECURITY_LEVEL
certificateInfo = { keystore = <keystore name>
managementScope = <managementScope>
alias = <certificate alias>
reason = empty when certificate already meets security level
Examples
wsadmin>$AdminTask listCertStatusForSecurityStandard {-fipsLevel SP800-131 -suiteBLevel 128 } {CAN_CONVERT {{keystore NodeDefaultKeyStore} {managementScope (cell):testNode 01Cell:(node):testNode01} {alias default} {reason {Current SignatureAlgorithm is SHA256withRSA. SignatureAlgorithm needs to be one of [SHA256withECDSA] to be compliant with SP 800-131 - Suite B 128. }} {keystore NodeDefaultRootStore} {managementScope (cell):testNode01Cell:(node) :testNode01} {alias root} {reason {Current SignatureAlgorithm is SHA256withRS A. SignatureAlgorithm needs to be one of [SHA256withECDSA] to be compliant with SP 800-131 - Suite B 128. }} }} {CAN_NOT_CONVERT {}} {MEET_SECURITY_STANDARD {}}
The convertCertForSecurityStandard command converts all certificates used by SSL configuration and plug-ins.
Target object
None.Required parameters
None.Optional parameters
The value provided is set on the com.ibm.websphere.security.FIPSLevel security custom property.
Either fipsLevel or suiteBLevel must be specified.
Return value:
{conversionStatus=CAN_NOT_CONVERT
certificateInfo = {keystore = <keystore name>
managementScope = <managementScope>
alias = <certificate alias>
reason = <reason why certificate can not be converted>
} ...
{conversionStatus=MEET_SECURITY_STANDARD
certificateInfo = {keystore = <keystore name>
managementScope = <managementScope>
alias = <certificate alias>
reason = empty when certificate meets security standard.
} ...
Examples
wsadmin> $AdminTask convertCertForSecurityStandard {-fipsLevel FIPS140-2 -signatureAlgorithm SHA256withRSA -keySize 2048 } {CAN_CONVERT {}} {CAN_NOT_CONVERT {}} {MEET_SECURITY_STANDARD {{keystore NodeDef aultRootStore} {managementScope (cell):testNode01Cell:(node):testNode01} { alias root} {reason {}} {keystore NodeDefaultKeyStore} {managementScope (cell):testNode01Cell:(node): testNode01} {alias default} {reason {}} }}