Configuring Federal Information Processing Standard Java Secure Socket Extension files
Use this topic to configure Federal Information Processing Standard Java™ Secure Socket Extension files.
About this task
- SSL_RSA_WITH_AES_128_CBC_SHA
- SSL_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
- SSL_DHE_RSA_WITH_AES_128_CBC_SHA
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_DHE_DSS_WITH_AES_128_CBC_SHA
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
When enabling the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management panel, the runtime always uses IBMJSSE2, despite the contextProvider that you specify for SSL (IBMJSSE or IBMJSSE2S). Also, because FIPS requires the SSL protocol be TLS, the runtime always uses TLS when FIPS is enabled, regardless of the SSL protocol setting in the SSL repertoire. This simplifies the FIPS configuration in Version 9.0 because an administrator needs to enable only the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management panel to enable all transports using SSL.
Procedure
What to do next
- By default, Microsoft Internet
Explorer might not have TLS enabled. To enable TLS, open the Internet
Explorer browser and click Tools > Internet Options. On
the Advanced tab, select the Use TLS 1.0 option. Note: Netscape Version 4.7.x and earlier versions might not support TLS.
- When you select the Use the Federal Information Processing Standard (FIPS) option on the SSL certificate and key management panel, the Lightweight Third-Party Authentication (LTPA) token format is not backwards-compatible with previous releases of WebSphere Application Server. However, you can import the LTPA keys from a previous version of the application server.
- Note: The current WebSphere limitation is that the key length in secret keys are not evaluated for FIPS sp800-131a compliance. If secret keys are in the keystore, then check the key length by using iKeyman in the {WebSphere_install_dir}\java\jre\bin directory or by using other keystore tools.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
ADMU3007E: Exception com.ibm.websphere.management.exception.ConnectorException
Uncomment
the following entry in the java.security file if it was previously
removed or commented out, then restart the server:security.provider.2=com.ibm.crypto.provider.IBMJCE
- IBMJCEFIPS (certificate 376)
- IBM Cryptography for C (ICC) (certificate 384)
- In the ssl.client.props file, you must change the com.ibm.security.useFIPS value to false.
In the java.security file, you must change the FIPS provider to a non-FIPS provider.
If you are using the IBM SDK java.security file, you must change the first provider to a non-FIPS provider as shown in the following example:#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.1=com.ibm.crypto.provider.IBMJCE security.provider.2=com.ibm.jsse.IBMJSSEProvider security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath #security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11
If you are using the Sun JDK java.security file, you must change the third provider to a non-FIPS provider as shown in the following example:security.provider.1=sun.security.provider.Sun security.provider.2=com.ibm.security.jgss.IBMJGSSProvider security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.4=com.ibm.crypto.provider.IBMJCE security.provider.5=com.ibm.jsse.IBMJSSEProvider security.provider.6=com.ibm.jsse2.IBMJSSEProvider2 security.provider.7=com.ibm.security.cert.IBMCertPath #security.provider.8=com.ibm.crypto.pkcs11.provider.IBMPKCS11
Edit the java.security file to remove the FIPS provider and renumber the providers as in the following example:
security.provider.1=sun.security.provider.Sun #security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.jsse.IBMJSSEProvider security.provider.4=com.ibm.jsse2.IBMJSSEProvider2 security.provider.5=com.ibm.security.jgss.IBMJGSSProvider security.provider.6=com.ibm.security.cert.IBMCertPath security.provider.7=com.ibm.i5os.jsse.JSSEProvider #security.provider.8=com.ibm.crypto.pkcs11.provider.IBMPKCS11 security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
![[z/OS]](../images/ngzos.gif)
- Reduce the cipher suite level to Medium, if your cipher suite level is currently Strong.
Avoid trouble: You can change the cipher suite level for different levels of your environment such as the node or server level. Limit the change to the level of your environment where the change is necessary.gotcha
To change the cipher suite, see the cipher suite groups information within the quality of protection settings documentation. If you change the cipher suite level to Medium, save and synchronize the changes. If Global Security is enabled and the Dynamically update the run time when SSL configuration changes occur option is selected, you do not need to restart the server. However, if the option is not selected, you must restart the server for the changes to be effective. The Dynamically update the run time when SSL configuration changes occur option is available within the administrative console on the SSL certificate and key management panel. To access the panel, click .
- Install security level 3 FMID JCPT3A1 for the z/OS® operating system.
Security Level 3 FMID JCPT3A1 is the z/OS operating system implementation of the FIPS 140-2 approved cryptographic providers.