Why and when to perform this task
In WebSphere Application Server, the Java Secure Socket Extension (JSSE) provider used is the IBMJSSE2 provider. This provider delegates encryption and signature functions to the Java Cryptography Extension (JCE) provider. Consequently, IBMJSSE2 does not need to be Federal Information Processing Standard (FIPS)-approved because it does not perform cryptography. However, the JCE provider requires FIPS-approval.Even though the IBMJSSEFIPS provider is still present, the run time does not use this provider. If IBMJSSEFIPS is specified as a contextProvider, WebSphere Application Server automatically defaults to the IBMJSSE2 provider (with the IBMJCEFIPS provider) for supporting FIPS in Version 6. When enabling FIPS in the server Global Security Panel, the run time always uses IBMJSSE2, despite the contextProvider that you specify for SSL (IBMJSSE, IBMJSSE2 or IBMJSSEFIPS). Also, because FIPS requires the SSL protocol be TLS, the run time always uses TLS when FIPS is enabled, regardless of the SSL protocol setting in the SSL repertoire. This simplifies the FIPS configuration in Version 6 because an administrator needs to enable only the FIPS flag in the Global Security Panel to enable all transports using SSL.
Steps for this task
#com.ibm.ssl.contextProvider=IBMJSSE2 com.ibm.ssl.contextProvider=IBMJSSEFIPS
You are using an administrative client if you use the startServer.sh or stopServer.sh commands instead of the administrative console to start and stop the server.
The IBMJCEFIPS provider must be in the java.security file provider list. The java.security file is located in the profile_root/properties directory. The java.security file looks like the following example after completing this step:
security.provider.1=sun.security.provider.Sun security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.jsse.IBMJSSEProvider security.provider.5=com.ibm.jsse2.IBMJSSEProvider2 security.provider.6=com.ibm.security.jgss.IBMJGSSProvider security.provider.7=com.ibm.security.cert.IBMCertPath security.provider.8=com.ibm.i5os.jsse.JSSEProvider #security.provider.8=com.ibm.crypto.pkcs11.provider.IBMPKCS11
What to do next
After completing these steps, a FIPS-approved JSSE or JCE provider offers increased encryption capabilities. However, when you use FIPS-approved providers:com.ibm.ssl.contextProvider=IBMJSSEFIPS
com.ibm.ssl.contextProvider=IBMJSSE2 #com.ibm.ssl.contextProvider=IBMJSSEFIPS
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS #security.provider.1=com.ibm.crypto.provider.IBMJCE security.provider.2=com.ibm.jsse.IBMJSSEProvider security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath #security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11
security.provider.1=com.ibm.security.jgss.IBMJGSSProvider security.provider.2=sun.security.provider.Sun security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS #security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.jsse.IBMJSSEProvider security.provider.5=com.ibm.jsse2.IBMJSSEProvider2 security.provider.6=com.ibm.security.cert.IBMCertPath #security.provider.7=com.ibm.crypto.pkcs11.provider.IBMPKCS11
Related tasks
Configuring Secure Sockets Layer (SSL)
Defining Secure Sockets Layer connections
Securing transports with JSSE and JCE programming interfaces
Related reference
Global security settings
Related information
Cryptographic Module Validation
Program FIPS 140-1 and FIPS 140-2 Pre-validation List