Configuring Federal Information Processing Standard Java Secure Socket Extension files

Use this topic to configure Federal Information Processing Standard Java Secure Socket Extension files.

About this task

In WebSphere® Application Server, the Java™ Secure Socket Extension (JSSE) provider that is used is the IBMJSSE2 provider. This provider delegates encryption and signature functions to the Java Cryptography Extension (JCE) provider. Therefore, IBMJSSE2 does not need to be Federal Information Processing Standard (FIPS)-approved because it does not perform cryptography. However, the JCE provider requires FIPS-approval.

[z/OS] WebSphere Application Server provides a FIPS-approved IBMJCEFIPS provider that IBMJSSE2 can use.

[AIX Solaris HP-UX Linux Windows][IBM i][8.5.5.23 or later]WebSphere Application Server provides a FIPS-approved IBMJCEPlusFIPS provider that IBMJSSE2 can use.

[AIX Solaris HP-UX Linux Windows][IBM i]In versions before 8.5.5.23, WebSphere Application Server provides a FIPS-approved IBMJCEFIPS provider that IBMJSSE2 can use.

When enabling the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management pane, the runtime always uses IBMJSSE2, despite the contextProvider that you specify for SSL (IBMJSSE or IBMJSSE2S). FIPS requires TLS 1.2 as the SSL protocol, the runtime always uses TLSv1.2 when FIPS is enabled, regardless of the SSL/TLS protocol setting in the SSL repertoire. This simplifies the FIPS configuration in WebSphere Application Server because an administrator needs to enable only the Use the United States Federal Information Processing Standard (FIPS) algorithms option on the server SSL certificate and key management pane to enable all transports using SSL.

Procedure

  1. Click Security > SSL certificate and key management > Manage FIPS.
  2. Select the Enable FIPS 140-2 option and click Apply.
    [z/OS]This option makes IBMJSSE2 and IBMJCEFIPS the active providers.
    [AIX Solaris HP-UX Linux Windows][IBM i][8.5.5.23 or later]This option makes IBMJSSE2 and IBMJCEPlusFIPS the active providers.
    [AIX Solaris HP-UX Linux Windows][IBM i]In versions before 8.5.5.23, this option makes IBMJSSE2 and IBMJCEFIPS the active providers.
  3. Accommodate Java clients that must access enterprise beans.

    Change the com.ibm.security.useFIPS property value from false to true in the profile_root/properties/ssl.client.props file.

  4. Ensure that the com.ibm.ssl.protocol property within the profile_root/properties/ssl.client.props file is set to TLSv1.2.
  5. Ensure that the java.security file includes the provider.

    [z/OS]To update the provider list, edit the java.security file and add com.ibm.crypto.plus.provider.IBMJCEFIPS preceding the IBMJCE provider in the provider list and renumber other providers. However, WebSphere Application Server adds the provider programmatically, modifying the java.security file is optional.

    [AIX Solaris HP-UX Linux Windows][IBM i][8.5.5.23 or later]

    To update the provider list, edit the java.security file and add com.ibm.crypto.plus.provider.IBMJCEPlusFIPS preceding the IBMJCEPlus and IBMJCE provider in the provider list and renumber other providers. However, WebSphere Application Server adds the provider pro grammatically. Modifying the java.security file is optional.

    [AIX Solaris HP-UX Linux Windows][IBM i]In versions before 8.5.5.23, to update the provider list, edit the java.security file and add com.ibm.crypto.plus.provider.IBMJCEFIPS preceding the IBMJCE provider in the provider list and renumber other providers. However, WebSphere Application Server adds the provider programmatically, modifying the java.security file is optional. The IBMJCEFIPS provider must be in the java.security file provider list.

    [AIX Solaris HP-UX Linux Windows][z/OS]The java.security file is located in the WASHOME/java/jre/lib/security directory.

    [IBM i]The java.security file is located in the profile_root/properties directory.

    The following example shows the contents of the IBM® SDK java.security file after the step is completed.
    • [z/OS]Use the string crypto.fips.provider.IBMJCEFIPS.
      security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS 
security.provider.2=com.ibm.crypto.provider.IBMJCE  
security.provider.3=com.ibm.jsse.IBMJSSEProvider   
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2   
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider 
security.provider.6=com.ibm.security.cert.IBMCertPath  
security.provider.7=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
security.provider.8=com.ibm.security.cmskeystore.CMSProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.sasl.IBMSASL 
security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider 
security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider  
security.provider.13=org.apache.harmony.security.provider.PolicyProvider
    • [AIX Solaris HP-UX Linux Windows][IBM i][8.5.5.23 or later]Use the string crypto.plus.provider.IBMJCEPlusFIPS.
      [AIX Solaris HP-UX Linux Windows]
      security.provider.1=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS 
security.provider.2=com.ibm.crypto.provider.IBMJCE  
security.provider.3=com.ibm.jsse.IBMJSSEProvider   
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2   
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider 
security.provider.6=com.ibm.security.cert.IBMCertPath  
security.provider.7=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
security.provider.8=com.ibm.security.cmskeystore.CMSProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.sasl.IBMSASL 
security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider 
security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider  
security.provider.13=org.apache.harmony.security.provider.PolicyProvider
      [IBM i]
      security.provider.1=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.IBMJSSEProvider
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.i5os.jsse.JSSEProvider
security.provider.8=com.ibm.crypto.pkcs11.provider.IBMPKCS11
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.cmskeystore.CMSProvider
security.provider.11=com.ibm.security.sasl.IBMSASL
security.provider.12=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.13=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.14=org.apache.harmony.security.provider.PolicyProvider
    • [AIX Solaris HP-UX Linux Windows][IBM i]In versions before 8.5.5.23, use the string crypto.fips.provider.IBMJCEFIPS.
      [AIX Solaris HP-UX Linux Windows]
      security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS 
security.provider.2=com.ibm.crypto.provider.IBMJCE  
security.provider.3=com.ibm.jsse.IBMJSSEProvider   
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2   
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider 
security.provider.6=com.ibm.security.cert.IBMCertPath  
security.provider.7=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
security.provider.8=com.ibm.security.cmskeystore.CMSProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.sasl.IBMSASL 
security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider 
security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider  
security.provider.13=org.apache.harmony.security.provider.PolicyProvider
      [IBM i]
      security.provider.1=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.IBMJSSEProvider
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.i5os.jsse.JSSEProvider
security.provider.8=com.ibm.crypto.pkcs11.provider.IBMPKCS11
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.cmskeystore.CMSProvider
security.provider.11=com.ibm.security.sasl.IBMSASL
security.provider.12=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.13=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.14=org.apache.harmony.security.provider.PolicyProvider

    [AIX Solaris HP-UX Linux Windows][IBM i]If you are using the Oracle JDK, the java.security file looks like the following example after completing this step.

    [AIX Solaris HP-UX Linux Windows][IBM i][8.5.5.23 or later]Add the line security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS.
    
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.3=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.11=sun.security.provider.Sun
    [AIX Solaris HP-UX Linux Windows][IBM i]In versions before 8.5.5.23, add the line security.provider.2=com.ibm.crypto.plus.provider.IBMJCEFIPS.
    
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEFIPS
security.provider.3=com.ibm.crypto.provider.IBMJCEPlus
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=sun.security.provider.Sun
    [z/OS]

    Edit the java.security file to uncomment the line with the IBMJCEFIPS provider and also renumber the rest of the provider list. The IBMJCEFIPS provider must be in the java.security file provider list. The java.security file is located in the WASHOME/java/jre/lib/security directory. To edit the file, complete the following steps:

    [z/OS]
    1. Copy the java.security file to a directory that has write permissions.
    2. Edit the java.security file to comment out the line with the IBMJCE provider, uncomment the line with the IBMJCEFIPS provider, and save the file.

      The IBM Software Development Kit (SDK) java.security file looks like the following example before completing this step.

      #security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.1=com.ibm.crypto.provider.IBMJCE
security.provider.2=com.ibm.jsse.IBMJSSEProvider
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11
security.provider.7=com.ibm.security.cmskeystore.CMSProvider
security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    3. Configure the security.overridePropertiesFile and java.security.properties system properties for each Java virtual machine (JVM) in the cell.
      Add the following property and value pairs:
      Table 1. Custom properties for specifying a new location for the java.security file .

      This table describes custom properties for specifying a new location for the java.security file.
      Property name Value
      security.overridePropertiesFile true
      java.security.properties Specify the new location of the java.security file.
      You must specify the previous set of system properties for the deployment manager, the node agent, and other application servers. For the deployment manager, specify this set of system properties for both the control and the servant. For the node agent, specify this set of system properties for the control. For all application servers, specify this set of system properties for the adjunct, control, and servant. For example, complete the following steps to specify these system properties for the control on an application server:
      1. In the administrative console, click Servers > Application servers > server_name.
      2. Under Server infrastructure, click Java and Process Management > Process Definition > Control.
      3. Under Additional properties, click Java Virtual Machine > Custom properties.
      4. Enter the properties as two sets of name and value pairs.
      5. Click Save.

What to do next

After completing these steps, a FIPS-approved JSSE or JCE provider offers increased encryption capabilities. However, when you use FIPS-approved providers:
  • By default, Microsoft Internet Explorer might not have TLS 1.2 enabled. To enable TLS 1.2, open the Internet Explorer browser and click Tools > Internet Options. On the Advanced tab, select the Use TLS 1.2 option.
    Note: Netscape Version 4.7.x and earlier versions might not support TLS 1.2.
  • When you select the Use the Federal Information Processing Standard (FIPS) option on the SSL certificate and key management pane, the Lightweight Third-Party Authentication (LTPA) token format is not compatible with an earlier versions of WebSphere Application Server. However, you can import the LTPA keys from a previous version of the application server.
  • Note: The current WebSphere Application Server limitation is that the key length in secret keys is not evaluated for FIPS sp800-131a compliance. If secret keys are in the keystore, then check the key length by using iKeyman in the {WebSphere_install_dir}\java\jre\bin directory or by using other keystore tools.
[AIX Solaris HP-UX Linux Windows]Attention: The following error might occur when you attempt to stop WebSphere Application Server after enabling the FIPS option.
ADMU3007E: Exception com.ibm.websphere.management.exception.ConnectorException
Uncomment the following entry in the java.security file if it was previously removed or commented out, then restart the server:
security.provider.2=com.ibm.crypto.provider.IBMJCE
Note: When enabling FIPS, you cannot configure cryptographic token devices in the SSL repertoires. IBMJSSE2 must use IBMJCEPlusFIPS when using cryptographic services for FIPS.
The following FIPS 140-2 approved cryptographic providers that are the only devices that are supported by the FIPS option:
  • [z/OS]IBMJCEFIPS (certificate 376)
  • [AIX Solaris HP-UX Linux Windows][IBM i][8.5.5.23 or later]IBMJCEPlusFIPS (certificate 376)
  • [AIX Solaris HP-UX Linux Windows][IBM i]In versions before 8.5.5.23, IBMJCEFIPS (certificate 376)
  • IBM Cryptography for C (IBM Content Collector) (certificate 384)
The relevant certificates are listed on the NIST website: Standards: FIPS PUB 140-2.
To unconfigure the FIPS provider, reverse the changes that you made in the previous steps. After you reverse the changes, verify the following changes to the sas.client.props, soap.client.props, and java.security files:
  • In the ssl.client.props file, you must change the com.ibm.security.useFIPS value to false.
  • In the java.security file, you must change the FIPS provider to a non-FIPS provider.
    If you are using the IBM SDK java.security file, you must change the first provider to a non-FIPS provider as shown in the following example.[z/OS]
    
#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS 
security.provider.1=com.ibm.crypto.provider.IBMJCE  
security.provider.2=com.ibm.jsse.IBMJSSEProvider   
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2   
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider 
security.provider.5=com.ibm.security.cert.IBMCertPath  
security.provider.6=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
security.provider.7=com.ibm.security.cmskeystore.CMSProvider
security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.9=com.ibm.security.sasl.IBMSASL 
security.provider.10=com.ibm.xml.crypto.IBMXMLCryptoProvider 
security.provider.11=com.ibm.xml.enc.IBMXMLEncProvider  
security.provider.12=org.apache.harmony.security.provider.PolicyProvider
    [AIX Solaris HP-UX Linux Windows][8.5.5.23 or later]
    
#security.provider.1=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS 
security.provider.1=com.ibm.crypto.provider.IBMJCE  
security.provider.2=com.ibm.jsse.IBMJSSEProvider   
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2   
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider 
security.provider.5=com.ibm.security.cert.IBMCertPath  
security.provider.6=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
security.provider.7=com.ibm.security.cmskeystore.CMSProvider
security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.9=com.ibm.security.sasl.IBMSASL 
security.provider.10=com.ibm.xml.crypto.IBMXMLCryptoProvider 
security.provider.11=com.ibm.xml.enc.IBMXMLEncProvider  
security.provider.12=org.apache.harmony.security.provider.PolicyProvider
    [IBM i][8.5.5.23 or later]
    
#security.provider.1=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.1=com.ibm.crypto.provider.IBMJCE
security.provider.2=com.ibm.jsse.IBMJSSEProvider
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.i5os.jsse.JSSEProvider
security.provider.7=com.ibm.crypto.pkcs11.provider.IBMPKCS11
security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.9=com.ibm.security.cmskeystore.CMSProvider
security.provider.10=com.ibm.security.sasl.IBMSASL
security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.13=org.apache.harmony.security.provider.PolicyProvider
    In versions before 8.5.5.23, use the following example.
    [AIX Solaris HP-UX Linux Windows]
    
#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS 
security.provider.1=com.ibm.crypto.provider.IBMJCE  
security.provider.2=com.ibm.jsse.IBMJSSEProvider   
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2   
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider 
security.provider.5=com.ibm.security.cert.IBMCertPath  
security.provider.6=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
security.provider.7=com.ibm.security.cmskeystore.CMSProvider
security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.9=com.ibm.security.sasl.IBMSASL 
security.provider.10=com.ibm.xml.crypto.IBMXMLCryptoProvider 
security.provider.11=com.ibm.xml.enc.IBMXMLEncProvider  
security.provider.12=org.apache.harmony.security.provider.PolicyProvider
    [IBM i]
    
#security.provider.1=com.ibm.crypto.plus.provider.IBMJCEFIPS
security.provider.1=com.ibm.crypto.provider.IBMJCE
security.provider.2=com.ibm.jsse.IBMJSSEProvider
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.i5os.jsse.JSSEProvider
security.provider.7=com.ibm.crypto.pkcs11.provider.IBMPKCS11
security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.9=com.ibm.security.cmskeystore.CMSProvider
security.provider.10=com.ibm.security.sasl.IBMSASL
security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.13=org.apache.harmony.security.provider.PolicyProvider

    [AIX Solaris HP-UX Linux Windows][IBM i]If you are using the Oracle JDK java.security file, you must change the second provider to a non-FIPS provider as shown in the following example.

    [AIX Solaris HP-UX Linux Windows][IBM i][8.5.5.23 or later]
    
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
#security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=sun.security.provider.Sun

    [AIX Solaris HP-UX Linux Windows][IBM i]In versions before 8.5.5.23, change the second provider to a non-FIPS provider as shown in the following example.

    
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
#security.provider.2=com.ibm.crypto.plus.provider.IBMJCEFIPS
security.provider.2=com.ibm.crypto.provider.IBMJCEPlus
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.9=sun.security.provider.Sun
[z/OS]When you use the FIPS provider, the IBM Software Development Kit (SDK) might issue an error message that refers to a bad certificate. Although this error message can result from a multitude of reasons, review your security configuration and consider one of the following actions.
  • Reduce the cipher suite level to Medium, if your cipher suite level is currently Strong.
    Note: You can change the cipher suite level for different levels of your environment such as the node or server level. Limit the change to the level of your environment where the change is necessary.

    To change the cipher suite, see the cipher suite groups information within the quality of protection settings documentation. If you change the cipher suite level to Medium, save and synchronize the changes. If Global Security is enabled and the Dynamically update the run time when SSL configuration changes occur option is selected, you do not need to restart the server. However, if the option is not selected, you must restart the server for the changes to be effective. The Dynamically update the run time when SSL configuration changes occur option is available within the administrative console on the SSL certificate and key management panel. To access the pane, click Security > SSL certificate and key management.

  • Install security level 3 FMID JCPT3A1 for the z/OS® operating systems.

    Security Level 3 FMID JCPT3A1 is the z/OS operating system implementation of the FIPS 140-2 approved cryptographic providers.