Updating to FIPS 140-2 security standards

Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems. Federal Information Processing Standards publication 140-2 (FIPS 140-2) covers the security standards that are required for cryptographic modules. When in FIPS 140-2 mode, IBM WebSphere Commerce, through IBM WebSphere Application Server and IBM HTTP Server, uses the FIPS 140-2 approved cryptographic providers: IBMJCEFIPS (certificate 376) and IBMJSSEFIPS (certificate 409) for cryptography. The certificates are listed on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.

Before you begin

  • Ensure that you are running on WebSphere Application Server or higher. To upgrade WebSphere Application Server, download the fix at IBM Fix Central.
    Warning: A potential security vulnerability was found in all versions at or below For more information, see CVE-2016-0306.
  • Install WebSphere Commerce Version 8.0.


Enable FIPS 140-2 mode within the WebSphere Application Server for WebSphere Commerce and WebSphere Commerce search.

  1. To enable FIPS 140-2 mode in WebSphere Application Server, follow the instructions in Configuring Federal Information Processing Standard Java Secure Socket Extension files, found within the WebSphere Application Server documentation.

Enable FIPS 140-2 mode for all WebSphere Commerce application web servers and WebSphere Commerce search web servers.

  1. For instructions on enabling FIPS 140-2 mode for your HTTP servers, see your HTTP server documentation.
    For example, for IBM HTTP Server, include the following parameter in your http.conf configuration file, as described in the Apache Module mod_ibm_ssl documentation:
    # Ensure only FIPS 140-2 ciphers are used for https


WebSphere Commerce is now running on a WebSphere Application Server and on HTTP servers that are in FIPS 140-2 mode.