If you installed Content Platform Engine on WebSphere® Application
Server 8.0, and the application
server is configured to adhere to Federal Information Processing Standards,
you must enable Configuration Manager to
connect to the application server.
To enable Configuration Manager to
connect to FIPS-enabled WebSphere Application
Server:
- Create the certificates to enable Federal Information Processing
Standards (FIPS) support on an application server that is running WebSphere Application
Server by completing the instructions
in http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/topic/com.ibm.iea.was_v8/was/8.0.0.3/Security/WASV8003_SecurityCryptoSignatureAlgorithm.pdf
- Use the WebSphere administration
console to convert the certificates to use the signature algorithm,
SHA256withRSA, which is supported by the FIPS standard:
- Log on to the WebSphere administration
console.
- Navigate to .
- In the General Properties section,
click Strict, and choose SHA256withRSA from
the list.
- Run the Java™ keytoolcommand
twice, to import the certificates into two locations: one in WebSphere Application
Server, and the other in Content Platform Engine. The keytool command
syntax is as follows (see the Java documentation
for the complete details on using keytool):
keytool -import -alias certificate_alias_name
-file certificate_location -keystore keystore_name
-storepass keystore_password
keytool is
located in cpe_install_path/_cejvm/jre/bin (cpe_install_path is
the installation path to Content Platform Engine).
- certificate_alias_name
Can be any string, such as CECA or CE_Name_CA.
- certificate_location
The path to the certificate location for Content Platform Engine is cpe_install_path/_cejvm/jre/lib/security/cacerts.
The
path to the certificate location for WebSphere Application
Server is was_install_path/profiles/default/etc/DummyClientTrustFile.jks.
cpe_install_path is
the installation path to Content Platform Engine.
was_install_path is
the installation path to WebSphere Application
Server.
- keystore_name
The default keystore name on Content Platform Engine is cacerts.
The default keystore name on WebSphere Application
Server is DummyClientTrustFile.jks.
- keystore_password
The default keystore password on Content Platform Engine is changeit.
The
default keystore password on WebSphere Application
Server is WebAS.
- Edit the cpe_install_path/tools/configure/configmgr.ini file
by adding the following lines (cpe_install_path is
the installation path to Content Platform Engine):
-Dcom.ibm.security.useFIPS=true
-Dcom.ibm.websphere.security.FIPSLevel=SP800-131
-Dcom.ibm.ssl.protocol=TLSv1.2
- Edit the was_install_path/profiles/default/properties/wsadmin.properties file
by adding the following lines (was_install_path is
the installation path to WebSphere Application
Server):
com.ibm.security.useFIPS=true
com.ibm.websphere.security.FIPSLevel=SP800-131
com.ibm.ssl.protocol=TLSv1.2