WebSphere® Application
Server can be configured to work with various security standards,
which are typically used to meet security requirements required by
the government.

New feature:
WebSphere Application
Server integrates cryptographic modules, which include Java Secure Socket Extension (JSSE) and Java Cryptography Extension (JCE).
Most of the requirements in the standards are handled in the JSSE
and JCE, which must undergo the certification process to meet government
standards. WebSphere Application
Server must be configured to run with the JSSE and JCE enabled for
a particular standard, and now supports the FIPS 140-2, SP800-131
and Suite B security standards.newfeat
- FIPS 140-2 are Federal Information Processing Standards
(FIPS) that specify requirements on cryptographic modules. WebSphere Application Server
has been able to configure using this standard the longest. Many users
can be configured to use this level, but might be required to move
up to the newer SP800-131 or Suite B standard.
See The
National Institute of Standards and Technology website for
more information about the 140-2 standard.
To configure FIPS
140-2, see the topic Configuring Federal Information Processing
Standard Java Secure Socket
Extension files.
- SP800-131 is a requirement originated by the National
Institute of Standards and Technology (NIST) which requires longer
key lengths and stronger cryptography. The specification also provides
a transition configuration to enable users to move to a strict enforcement
of SP800-131. The transition configuration also enables users to run
with a mixture of settings from both FIPS140-2 and SP800-131. SP800-131
can be run in two modes, transition and strict.
Strict
enforcement of SP800-131 requirements on WebSphere Application server includes the
following:
- The use of the TLSv1.2 protocol for the Secure Sockets Layer (SSL)
context.
- Certificates must have a minimum length of 2048. Elliptical Curve
(EC) certificate require a minimum size of 244-bit curves.
- Certificates must be signed with a signature algorithm of SHA256,
SHA384, or SHA512. Valid signatureAlgorithms include:
- SHA256withRSA
- SHA384withRSA
- SHA512withRSA
- SHA256withECDSA
- SHA384withECDSA
- SHA512withECDSA
- SP800-131 approved Cipher suites
See The
National Institute of Standards and Technology website for
more details about the SP800-131 standard.
See the topic Transitioning WebSphere Application Server
to the SP800-131 security standard for information on how to
transition WebSphere Application
Server to the SP800-131 strict standard. See the topic Configuring WebSphere Application Server
for SP800-131 standard strict mode for information on how to
configure SP800-131.
- Suite B is a requirement originated by the
National Security Agency (NSA) to specify a cryptographic interoperability
strategy. This standard is similar to SP800-131 with some tighter
restrictions. Suite B can run in two modes: 128-bit or 192-bit. The
restricted policy file provides encryption for the 128-bit mode, and
it is applied by default. If using 192-bit mode, users must apply
the unrestricted policy file to the JDK so that the stronger cipher
required for the 192-bit mode can be used.
The following table
lists the maximum key sizes that the restricted policy file allows
for IBMJCE and IBMJCECCA algorithms. Users who require stronger encryption
must use the unrestricted policy file.
Table 1. Restricted
policy file values. Algorithm |
Maximum key size in bits |
DES |
64 |
DESede |
96 |
RC2 |
128 |
RC4 |
128 |
RC5 |
128 |
RSA |
2048 |
All other algorithms |
128 |
To apply the unrestricted policy files, copy US_export_policy.jar
and local_policy.jar from the WAS_HOME/java/J5.0/lib/security directory
to the WAS_HOME/java/J5.0/demo/jce/policy-files/unrestricted directory.
Suite
B requirements on WebSphere Application
Server include the following:
- The use of the TLSv1.2 protocol for the SSL Context
- Suite B approved Cipher suites
- Certificates:
- 128 bit mode certificates must be signed with SHA256withECDSA
- 192 bit mode certificates must be signed with SHA384withECDSA
- Ciphers:
- SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
See the topic Configuring WebSphere Application Server for the Suite
B security standard for information about how to configure
Suite B.
Properties used to enable the Security Standards
The IBM® virtual machine for Java (JVM) runs in a given security mode based
on system properties. WebSphere Application
Server sets these system properties based on security configuration
settings. The security configuration can be set up through the administrative
console or through scripting admin tasks. If an application sets these
properties directly it can affect WebSphere Application
Server SSL communication.
Table 2. JVM system properties
to enable the security standard. Security standard |
System property to enable |
Valid values |
FIPS 140-2 |
com.ibm.jsse2.usefipsprovider |
true or false |
SP800-131 |
com.ibm.jsse2.sp800-131 |
transition or strict |
Suite B |
com.ibm.jsse2.suiteB |
128 or 192 |
WebSphere Application
Server configuration clears out all of these properties if they are
set, then sets them to how the security configuration is specified. WebSphere Application Server
enables the security standard based on the custom properties set in
the security configuration.
WebSphere Application
Server security custom properties to enable the security standard
Table 3. WebSphere Application
Server security custom properties to enable the security standard. Security standard |
Security custom properties |
JVM system property |
FIPS 140-2 |
com.ibm.security.useFips=true
com.ibm.websphere.security.FIPSLevel=FIPS140-2
|
com.ibm.jsse2.usefipsprovider=true |
SP800-131- transition |
com.ibm.security.useFips=true
com.ibm.websphere.security.FIPSLevel=transition
|
com.ibm.jsse2.sp800-131=transition |
SP800-131 – strict |
com.ibm.security.useFips=true
com.ibm.websphere.security.FIPSLevel=SP800-131
|
com.ibm.jsse2.sp800-131=strict |
Suite B 128 |
com.ibm.security.useFips=true
com.ibm.websphere.security.suiteB=128
|
com.ibm.jsse2.suiteB=128 |
Suite B 192 |
com.ibm.security.useFips=true
com.ibm.websphere.security.suiteB=192
|
com.ibm.jsse2.suiteB=192 |