Configuring the server to achieve FIPS compliance

You can assure compliance with the FIPS 140-2 standard by modifying the configuration properties for the underlying application server.

Procedure

  1. Edit your java.security file that is in the following directory: installation_dir/jre/lib/security/. Put the com.ibm.crypto.fips.provider.IBMJCEFIPS before the IBMJCE one in the provider list. Ensure that the list is correctly numbered.
  2. Add the -Dcom.ibm.jsse2.usefipsprovider=true property to the jvm.options file. The property allows the Java™ Secure Socket Extension (JSSE2) provider to run in FIPS 140-2 mode.
    Note: Your certificates must have a key that is at least 1024 bits long and can be signed with a DSA or RSA signature algorithm. You can use the IBM keytool utility to generate a compatible key pair.
  3. To use the TLS protocol, configure secure communcation.

    A number of ciphers are supported by FIPS 140-2. The default HTTPS configuration automatically enables the FIPS 140-2 compliant ciphers when JSSE is running in FIPS mode. You can enable specific ciphers by listing them in the enabledCiphers attribute of the SSL service configuration element in the server.xml file.