IBM Tivoli Netcool/OMNIbus, Version 7.4

Configuring the JRE for FIPS 140–2 mode (UNIX and Linux)

To configure the Tivoli Netcool/OMNIbus JRE for FIPS 140–2 operation, change the configuration of the security properties file. You can also download and add policy files to use enhanced encryption algorithms.

Configuration file changes

Make the following changes:

Open the security properties file for editing. This file is at $NCHOME/platform/arch/jre_1.6.7/jre/lib/security/java.security on 32-bit operating systems, and $NCHOME/platform/arch/jre64_1.6.0/jre/lib/security/java.security on 64-bit operating systems. arch represents your operating system directory; for example, solaris2.

Edit the file as follows:

In the List of providers and their preference orders section, add the following lines: security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider and security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS. For all other providers, increment the number by two, as shown in the following table, for your operating system:

Operating system Required entries

AIX® and Linux

Operating system	Required entries
AIX® and Linux	security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.crypto.provider.IBMJCE security.provider.5=com.ibm.security.jgss.IBMJGSSProvider security.provider.6=com.ibm.security.cert.IBMCertPath security.provider.7=com.ibm.security.sasl.IBMSASL security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider security.provider.10=org.apache.harmony.security.provider.PolicyProvider security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.12=com.ibm.security.cmskeystore.CMSProvider
Solaris and HP-UX	security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=sun.security.provider.Sun security.provider.5=com.ibm.crypto.provider.IBMJCE security.provider.6=com.ibm.jsse2.IBMJSSEProvider2 security.provider.7=com.ibm.security.cert.IBMCertPath security.provider.8=com.ibm.security.sasl.IBMSASL security.provider.9=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.10=com.ibm.xml.enc.IBMXMLEncProvider security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.12=com.ibm.security.cmskeystore.CMSProvider

security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.10=org.apache.harmony.security.provider.PolicyProvider
security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.12=com.ibm.security.cmskeystore.CMSProvider

Solaris and HP-UX

security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=sun.security.provider.Sun
security.provider.5=com.ibm.crypto.provider.IBMJCE
security.provider.6=com.ibm.jsse2.IBMJSSEProvider2
security.provider.7=com.ibm.security.cert.IBMCertPath
security.provider.8=com.ibm.security.sasl.IBMSASL
security.provider.9=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.10=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.12=com.ibm.security.cmskeystore.CMSProvider

Set the default key and trust manager factory algorithms for the javax.net.ssl package:
```
ssl.KeyManagerFactory.algorithm=IbmX509
ssl.TrustManagerFactory.algorithm=IbmX509
```

Set the default SSLSocketFactory and SSLServerSocketFactory provider implementations for the javax.net.ssl package:

ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl

Save and close the file.

Enhanced encryption algorithms

To enable strong encryption, you need to download and install policy files that allow this feature, from IBM® developerWorks®. This involves acceptance of licensing terms.

The steps to enable strong encryption are as follows:

Go to the developerWorks Java™ Technology Security Web page at http://www-106.ibm.com/developerworks/java/jdk/security/.
Click the Java SE 6 link. (The files are the same for JRE 1.5.n.)
Scroll down on the resulting page and click the IBM SDK Policy files link.
If you already have an IBM ID and password, click the Sign in link. Otherwise, click the Register here link to create an ID.
On the "Sign in" page, supply your IBM ID and password.
This takes you to the "Unrestricted JCE policy files for SDK 1.4" page.
Select Unrestricted JCE Policy files for SDK for all newer versions and click Continue.
Scroll down to the License section of the resulting page and click the View license link to see the licensing terms for the download.
If the licensing terms are acceptable, select I agree and click the I confirm link. If the terms are not acceptable, you will not be able to enable strong encryption and should click I cancel.
Click the Download now link to download the unrestricted.zip file.
Extract the local_policy.jar and US_export_policy.jar files from the unrestricted.zip archive.
Save these two files to the directory that is appropriate to your operating system. Replace the existing files of the same names. On 32-bit operating systems, save the files to $NCHOME/platform/arch/jre_1.6.7/jre/lib/security directory. On 64-bit operating systems, save the files to $NCHOME/platform/arch/jre64_1.6.7/jre/lib/security.
Update the policy files on each computer, and optionally run tests.