Configuring the JRE for FIPS 140–2 mode (Windows)
To configure the Tivoli Netcool/OMNIbus JRE for FIPS 140–2 operation, change the configuration of the security properties file. You can also download and add policy files to use enhanced encryption algorithms.
Configuration file changes
Make the following changes:
- Open the %NCHOME%\platform\win32\jre_1.6.7\jre\lib\security\java.security file for editing.
- Edit
the file as follows:
- In the List of providers
and their preference orders section, add the following lines: security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider and security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS.
For all other providers, increment the number by two, as shown in
the following table, for your operating system:
security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.crypto.provider.IBMJCE security.provider.5=com.ibm.security.jgss.IBMJGSSProvider security.provider.6=com.ibm.security.cert.IBMCertPath security.provider.7=com.ibm.security.sasl.IBMSASL security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider security.provider.10=org.apache.harmony.security.provider.PolicyProvider security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.12=com.ibm.security.cmskeystore.CMSProvider
- Set the default key and trust manager
factory algorithms for the javax.net.ssl package:
ssl.KeyManagerFactory.algorithm=IbmX509 ssl.TrustManagerFactory.algorithm=IbmX509
- Set the default SSLSocketFactory and
SSLServerSocketFactory provider implementations for the javax.net.ssl
package:
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
- In the List of providers
and their preference orders section, add the following lines: security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider and security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS.
For all other providers, increment the number by two, as shown in
the following table, for your operating system:
- Save and close the file.
Enhanced encryption algorithms
To enable strong encryption, you need to download and install policy files that allow this feature, from IBM® developerWorks®. This involves acceptance of licensing terms.
The steps to enable strong encryption are as follows:
- Go to the developerWorks Java™ Technology Security Web page at http://www-106.ibm.com/developerworks/java/jdk/security/.
- Click the Java SE 6 link. (The files are the same for JRE 1.5.n.)
- Scroll down on the resulting page and click the IBM SDK Policy files link.
- If you already have an IBM ID and password, click the Sign in link. Otherwise, click the Register here link to create an ID.
- On the "Sign in"
page, supply your IBM ID and
password.
This takes you to the "Unrestricted JCE policy files for SDK 1.4" page.
- Select Unrestricted JCE Policy files for SDK for all newer versions and click Continue.
- Scroll down to the License section of the resulting page and click the View license link to see the licensing terms for the download.
- If the licensing terms are acceptable, select I agree and click the I confirm link. If the terms are not acceptable, you will not be able to enable strong encryption and should click I cancel.
- Click the Download now link to download the unrestricted.zip file.
- Extract the local_policy.jar and US_export_policy.jar files from the unrestricted.zip archive.
- Save these two files to the %NCHOME%\platform\win32\jre_1.6.7\jre\lib\security directory, replacing the existing files of the same names.
- Update the policy files on each computer, and optionally run tests.