Running IBMJSSE2 in FIPS mode
You can enable the IBMJSSE2
provider to run in
FIPS mode.
Support for the FIPS 140-2 standard
In order to meet the requirements specified in the FIPS publication 140-2, the cryptographic algorithms used by theIBMJSSE2
Provider are isolated into the IBMJCEFIPS
or IBMJCEPlusFIPS
provider cryptographic module. When in FIPS mode, the IBMJSSE2
Provider uses
the cryptographic modules in an approved manner, and therefore IBMJSSE2
complies
with the FIPS 140-2 requirements when properly configured. Since cryptographic functionality is
performed by IBMJCEFIPS
or
IBMJCEPlusFIPS
, JSSE changes that affect the IBMJSSE2
provider only and not the
cryptography, do not require a new certification.For more information about the
IBMJCEFIPS
provider, see IBMJCEFIPS provider. For more information about the IBMJCEPlusFIPS
provider, see
IBMJCEPlus and IBMJCEPlusFIPS providers.
Enabling FIPS mode
You enable FIPS mode by setting properties and updating the java.security
file. You do not need to make changes to the application to support IBMJSSE2
running in FIPS mode.
Note that a single JVM cannot be in FIPS mode and have non-FIPS mode JSSE applications running at
the same time. Also note that IBMJSSE2
in FIPS mode and IBMJSSE2
using hardware cryptography is not supported.
- Set the following system property to enable FIPS mode in the IBMJSSE2
provider:
The default value for this property iscom.ibm.jsse2.usefipsprovider=true
false
, which specifies that IBMJSSE2 does not run in FIPS mode. For information about setting system properties, see How to Specify a java.lang.system Property.Note: You can use the FIPS 140-2 standard in addition to the SP800-131a and Suite B standards. Therefore, thecom.ibm.jsse2.usefipsprovider
system property only enables IBMJSSE2 to run using the IBMJCEFIPS provider. The property does not verify that you are using the correct protocol or cipher suites that are required for FIPS 140-2 compliance. You are responsible for this verification. - Set the following system property to specify the JCE FIPS
provider that you want to use:
wherecom.ibm.jsse2.usefipsProviderName=
<provider_name><provider_name>
is eitherIBMJCEFIPS
orIBMJCEPlusFIPS
. The default isIBMJCEFIPS
. - Set the following security properties to ensure that the IBMJSSE2 Provider is used to handle all
JSSE requests. For information about setting security properties, see How to Specify a java.security.Security Property.
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
- Add the JCE FIPS provider that you
want to use to the provider list in the
JAVA_HOME/jre/lib/security/java.security file before any
other cryptographic provider (
com.ibm.crypto.*
), using the following strings:- IBMJCEPlusFIPS:
com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
. From service refresh 6, fix pack 25, this provider is already in the list so you need only to move it. - IBMJCEFIPS:
com.ibm.crypto.fips.provider.IBMJCEFIPS
.
For example:security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.crypto.plus.provider.IBMJCEPlus security.provider.5=com.ibm.security.jgss.IBMJGSSProvider …
- IBMJCEPlusFIPS:
Deprecated system property
In releases before version 7 service refresh 1, you used the
com.ibm.jsse2.JSSEFIPS
system property to enable IBMJSSE2 to run in FIPS mode. This
property was deprecated in version 7 service refresh 1. This system property does not support the
TLS 1.1 or 1.2 protocols, or the elliptic curve, AES-GCM, or other new cipher suites that were added
in version 7 service refresh 1. This system property also does not support SP800-131a or Suite B
compliance; the property exists only for compatibility reasons.
- The SSL protocol must be TLS 1.0. The SSLv3 protocol is not allowed when in FIPS mode. If the client or the server have requested to handshake using the SSLv3 protocol while in FIPS mode, the handshake will fail.
- Only the following cipher suites are allowed:
- SSL_RSA_WITH_AES_128_CBC_SHA
- SSL_RSA_WITH_AES_256_CBC_SHA **
- SSL_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
- SSL_DHE_RSA_WITH_AES_128_CBC_SHA
- SSL_DHE_RSA_WITH_AES_256_CBC_SHA **
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_DHE_DSS_WITH_AES_128_CBC_SHA
- SSL_DHE_DSS_WITH_AES_256_CBC_SHA **
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
- SSL_DH_anon_WITH_AES_128_CBC_SHA
- SSL_DH_anon_WITH_AES_256_CBC_SHA **
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA