Configuring the server to achieve FIPS compliance

You can assure compliance with the FIPS 140-2 standard by modifying the configuration properties for the underlying application server.

About this task

Important: After upgrading BigFix Inventory server version 10.0.4 or higher with FIPS function enabled, ensure that java.security files contains RSAPSS, RSASSA-PSS listed in the jdk.tls.disabledAlgorithms.

Procedure

  1. Edit your java.security file that is in the following directory:
    • <installation_dir>/wlp/usr/servers/server1/ (BigFix Inventory version 10.0.8 or higher)
    • <installation_dir>/jre/jre/lib/security/ (BigFix Inventory version 10.0.7 or lower)
    1. Put the com.ibm.crypto.fips.provider.IBMJCEFIPS before the IBMJCE in the provider list. Ensure that the list is correctly numbered.
    2. Add the RSAPSS, RSASSA-PSS algorithm, to the jdk.tls.disabledAlgorithms list (BigFix Inventory version 10.0.4 or higher)
      Example: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC, RSAPSS, RSASSA-PSS
  2. Add the -Dcom.ibm.jsse2.usefipsprovider=true property to the jvm.options file. The property allows the Java™ Secure Socket Extension (JSSE2) provider to run in FIPS 140-2 mode.
    Note: Your certificates must have a key that is at least 1024 bits in length and can be signed with a DSA or RSA signature algorithm. You can use the IBM keytool utility to generate a compatible key pair.
  3. To use the TLS protocol, configure secure communication.

    A number of ciphers are supported by FIPS 140-2. The default HTTPS configuration automatically enables the FIPS 140-2 compliant ciphers when JSSE is running in FIPS mode. You can enable specific ciphers by listing them in the enabledCiphers attribute of the SSL service configuration element in the server.xml file.

    Note: The current FIPS library does not support TLS 1.3 protocol, TLS 1.2 protocol must be used instead. To enforce TLS 1.2 protocol, follow the instructions provided in Security configuration scenarios.