Updating to FIPS 140-2 security standards

Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems. Federal Information Processing Standards publication 140-2 (FIPS 140-2) covers the security standards that are required for cryptographic modules. When in FIPS 140-2 mode, HCL Commerce, through IBM WebSphere Application Server and IBM HTTP Server, uses the FIPS 140-2 approved cryptographic providers: IBMJCEFIPS (certificate 376) and IBMJSSEFIPS (certificate 409) for cryptography. The certificates are listed on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.

Procedure

  1. Enable FIPS 140-2 mode within the WebSphere Application Server that is running in the Transaction server Docker container.
    Follow the instructions in Configuring Federal Information Processing Standard Java Secure Socket Extension files, found within the WebSphere Application Server documentation to enable FIPS 140-2.
    Note: In a runtime development or quality assurance environment, you can access the WebSphere Application Server Administration Console by using the hostname that is running the Transaction Server Docker container. For a production environment, you might want to consider creating custom Run Engine commands to configure the settings into a new Docker image. For more information, see Creating your own Run Engine commands.
  2. Enable FIPS 140-2 mode within WebSphere Application Server Liberty that is running in the Search server Docker container.
    Complete the steps under Steps to configure FIPS 140-2 within the following article, Configuring SSL for Liberty.

Enable FIPS 140-2 mode for all HCL Commerce application web servers and HCL Commerce search web servers.

  1. For instructions on enabling FIPS 140-2 mode for your HTTP servers, see your HTTP server documentation.
    For example, for IBM HTTP Server, include the following parameter in your httpd.conf configuration file, as described in the Apache Module mod_ibm_ssl documentation:
    
    # Ensure only FIPS 140-2 ciphers are used for https
    SSLFIPSEnable
    
    You can find the file in the Web Server Docker container (projectname_web_1) at /opt/WebSphere/HTTPServer/conf/httpd.conf.