Use this topic to configure Federal Information Processing Standard Java Secure Socket Extension files.
When enabling the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management panel, the runtime always uses IBMJSSE2, despite the contextProvider that you specify for SSL (IBMJSSE or IBMJSSE2S). Also, because FIPS requires the SSL protocol be TLS, the runtime always uses TLS when FIPS is enabled, regardless of the SSL protocol setting in the SSL repertoire. This simplifies the FIPS configuration in Version 8.5 because an administrator needs to enable only the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management panel to enable all transports using SSL.
ADMU3007E: Exception com.ibm.websphere.management.exception.ConnectorExceptionUncomment the following entry in the java.security file if it was previously removed or commented out, then restart the server:
security.provider.2=com.ibm.crypto.provider.IBMJCE
#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.1=com.ibm.crypto.provider.IBMJCE
security.provider.2=com.ibm.jsse.IBMJSSEProvider
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
#security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11
security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.security.jgss.IBMJGSSProvider
security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.ibm.jsse.IBMJSSEProvider
security.provider.6=com.ibm.jsse2.IBMJSSEProvider2
security.provider.7=com.ibm.security.cert.IBMCertPath
#security.provider.8=com.ibm.crypto.pkcs11.provider.IBMPKCS11
security.provider.1=sun.security.provider.Sun
#security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.IBMJSSEProvider
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.i5os.jsse.JSSEProvider
#security.provider.8=com.ibm.crypto.pkcs11.provider.IBMPKCS11
security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
To change the cipher suite, see the cipher suite groups information within the quality of protection settings documentation. If you change the cipher suite level to Medium, save and synchronize the changes. If the Dynamically update the run time when SSL configuration changes occur option is selected, you do not need to restart the server. However, if the option is not selected, you must restart the server for the changes to be effective. The Dynamically update the run time when SSL configuration changes occur option is available within the administrative console on the SSL certificate and key management panel. To access the panel, click .
Security Level 3 FMID JCPT3A1 is the z/OS operating system implementation of the FIPS 140-2 approved cryptographic providers.