Federal Information Processing Standard (FIPS) 140-2 specifies
required levels of encryption for Transport Layer Security/Secure
Sockets Layer (TLS/SSL). This standard ensures high protection of
data as it is sent over the wire.
Before you begin
- You must be using an IBM® Runtime Environment. For more information, see Java SE considerations.
- Configure transport layer security and secure sockets layer in
both directions. Your catalog server truststore file must contain
the self-signed certificates for the container servers. The container
servers must contain the self-signed certificates for the catalog
server. For more information, see Transport layer security and secure sockets layer.
About this task
You can use the following steps to configure the catalog
servers and container servers in your WebSphere eXtreme Scale stand-alone installation
to use FIPS.
If you are using WebSphere eXtreme Scale integrated with WebSphere Application Server, the catalog servers
and container servers inherit the security properties from the application
server. For more information about configuring FIPS with WebSphere Application Server, see Configuring Federal Information Processing Standard Java Secure Socket Extension files. When a catalog server runs in WebSphere Application Server, some of the communication
is controlled by the server.properties file.
Update the server.properties file to contain
the same properties that are required for stand-alone catalog servers.
Procedure
- Edit the java.security file. The location of the java.security depends on
your Java virtual machine (JVM)
configuration:
- If you are using the default JVM that ships with the product,
the file is in the wxs_install_root/java/jre/lib/security directory.
- If you are using a different JVM, edit the file in the java_home/jre/lib/security directory.
The file must contain the following text:
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
- Edit the server properties files for the catalog server
and container servers.
These files must contain the
following properties and values:
contextProvider=IBMJSSE2
transportType=SSL-Required
For more information about server
properties, see
Server properties file.
- Configure key pairs that use the RSA key generation algorithm
in the key ring for the catalog server and container servers. The
minimum key length is 1024 bits.
- Restart your catalog and container servers.
When you start the catalog servers, you must specify Java virtual machine (JVM) arguments. The arguments
you use depend on which version of Java SE you are using.
- For Java 5 and Java 6 up to SR 9, specify the -Dcom.ibm.jsse2.JSSEFIPS=true argument when you start the server.
- For Java 6 SR 10 and later,
or Java 7, specify the -Dcom.ibm.jsse2.usefipsprovider=true argument when you
start the server.
For more information, see Starting and stopping secure servers.