Running IBMJSSE2 in FIPS mode

You can enable the IBMJSSE2 provider to run in FIPS mode.

Support for the FIPS 140-2 standard

In order to meet the requirements specified in the FIPS publication 140-2, the cryptographic algorithms used by the IBMJSSE2 Provider are isolated into the IBMJCEFIPS Start of changes for service refresh 5 fix pack 10or IBMJCEPlusFIPS End of changes for service refresh 5 fix pack 10provider cryptographic module. When in FIPS mode, the IBMJSSE2 Provider uses the cryptographic modules in an approved manner, and therefore IBMJSSE2 complies with the FIPS 140-2 requirements when properly configured. Since cryptographic functionality is performed by IBMJCEFIPSStart of changes for service refresh 5 fix pack 10or IBMJCEPlusFIPS End of changes for service refresh 5 fix pack 10, JSSE changes that affect the IBMJSSE2 provider only and not the cryptography, do not require a new certification.

For more information about the IBMJCEFIPS provider, see IBMJCEFIPS provider. Start of changes for service refresh 5 fix pack 10For more information about the IBMJCEPlusFIPS provider, see IBMJCEPlus and IBMJCEPlusFIPS providers.End of changes for service refresh 5 fix pack 10

Enabling FIPS mode

You enable FIPS mode by setting properties and updating the java.security file. You do not need to make changes to the application to support IBMJSSE2 running in FIPS mode.

Note that a single JVM cannot be in FIPS mode and have non-FIPS mode JSSE applications running at the same time. Also note that IBMJSSE2 in FIPS mode and IBMJSSE2 using hardware cryptography is not supported.

  1. Set the following system property to enable FIPS mode in the IBMJSSE2 provider:
    com.ibm.jsse2.usefipsprovider=true
    The default value for this property is false, which specifies that IBMJSSE2 does not run in FIPS mode. For information about setting system properties, see How to Specify a java.lang.system Property.
    Note: You can use the FIPS 140-2 standard in addition to the SP800-131a and Suite B standards. Therefore, the com.ibm.jsse2.usefipsprovider system property only enables IBMJSSE2 to run using the IBMJCEFIPS provider. The property does not verify that you are using the correct protocol or cipher suites that are required for FIPS 140-2 compliance. You are responsible for this verification.
  2. Start of changes for service refresh 5 fix pack 10Set the following system property to specify the JCE FIPS provider that you want to use:
    com.ibm.jsse2.usefipsProviderName=<provider_name>
    where <provider_name> is either IBMJCEFIPS or IBMJCEPlusFIPS. The default is IBMJCEFIPS.End of changes for service refresh 5 fix pack 10
  3. Set the following security properties to ensure that the IBMJSSE2 Provider is used to handle all JSSE requests. For information about setting security properties, see How to Specify a java.security.Security Property.
    • ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
    • ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
  4. Add the JCE FIPS provider that you want to use to the provider list in the JAVA_HOME/jre/lib/security/java.security file before any other cryptographic provider (com.ibm.crypto.*), using the following strings:
    • Start of changes for service refresh 5 fix pack 10IBMJCEPlusFIPS: com.ibm.crypto.plus.provider.IBMJCEPlusFIPS.End of changes for service refresh 5 fix pack 10 Start of changes for service refresh 6 fix pack 25From service refresh 6, fix pack 25, this provider is already in the list so you need only to move it.End of changes for service refresh 6 fix pack 25
    • IBMJCEFIPS: com.ibm.crypto.fips.provider.IBMJCEFIPS.
    Do not remove the IBMJCE provider because it is still required for KeyStore support.
    For example:
    security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
    Start of changes for service refresh 5 fix pack 10security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPSEnd of changes for service refresh 5 fix pack 10
    security.provider.3=com.ibm.crypto.provider.IBMJCE
    Start of changes for service refresh 5 fix pack 10security.provider.4=com.ibm.crypto.plus.provider.IBMJCEPlusEnd of changes for service refresh 5 fix pack 10
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    …

Deprecated system property

In releases before version 7 service refresh 1, you used the com.ibm.jsse2.JSSEFIPS system property to enable IBMJSSE2 to run in FIPS mode. This property was deprecated in version 7 service refresh 1. This system property does not support the TLS 1.1 or 1.2 protocols, or the elliptic curve, AES-GCM, or other new cipher suites that were added in version 7 service refresh 1. This system property also does not support SP800-131a or Suite B compliance; the property exists only for compatibility reasons.

If you must continue to use this system property, the following restrictions apply:
  • The SSL protocol must be TLS 1.0. The SSLv3 protocol is not allowed when in FIPS mode. If the client or the server have requested to handshake using the SSLv3 protocol while in FIPS mode, the handshake will fail.
  • Only the following cipher suites are allowed:
    • SSL_RSA_WITH_AES_128_CBC_SHA
    • SSL_RSA_WITH_AES_256_CBC_SHA **
    • SSL_RSA_WITH_3DES_EDE_CBC_SHA
    • SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
    • SSL_DHE_RSA_WITH_AES_128_CBC_SHA
    • SSL_DHE_RSA_WITH_AES_256_CBC_SHA **
    • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    • SSL_DHE_DSS_WITH_AES_128_CBC_SHA
    • SSL_DHE_DSS_WITH_AES_256_CBC_SHA **
    • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    • SSL_DH_anon_WITH_AES_128_CBC_SHA
    • SSL_DH_anon_WITH_AES_256_CBC_SHA **
    • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
    ** Requires installation of the JCE Unlimited Strength Jurisdiction Policy Files.