Configuring FIPS compliance

Configuring FIPS compliance for your network.

About this task

Perform the following configuration steps to prepare the master domain manager and the Dynamic Workload Console for FIPS compliance.

Procedure

  1. On both the master domain manager and the Dynamic Workload Console workstations, perform the following steps:
    1. Configure IBM® JDK with FIPS enabled on the server. Create a backup and replace JavaExt/jre with IBM_JDK_PATH>/jre.
    2. Configure batch reports for FIPS. Edit the SDK java.security file in the path <IBM_JDK_PATH>/jre/lib/security/java.security to insert the IBMJCEFIPS provider (com.ibm.crypto.fips.provider.IBMJCEFIPS). IBMJCEFIPS must precede the IBMJCE provider in the provider list.
      1. In the security.provider list, modify the entry containing IBMJCE and add it to the top of the list as follows:
        #
# List of providers and their preference orders (see above):
#
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=sun.security.provider.Sun
security.provider.11=com.ibm.security.cmskeystore.CMSProvider
      2. On RedHat Enterprise Linux® server, check the securerandom.source property in the java.security file and ensure the value is specified as follows:
        securerandom.source=file:/dev/./urandom
    3. Configure the Open Liberty jvm.options file, located in <TWA_DATA_DIR>/usr/servers/engineServer/configDropins/overrides/jvm.options on the master, and in <DWC_DATA_dir>/usr/servers/dwcServer/configDropins/overrides/jvm.options on the Dynamic Workload Console, to enable FIPS as follows: 
      Dcom.ibm.jsse2.usefipsprovider=true
  2. On the master domain manager workstation, perform the following steps:
    1. Comment the following properties in the eif.templ file located in the path: <TWA_DATA_DIR>/stdlist/appserver/engineServer/temp/TWS/EIFListener/eif.templ as follows: 
      #SSL_ChannelSSLTruststoreAlgorithm=SunX509
#SSL_ChannelSSLKeystoreAlgorithm=SunX509
    2. To prepare your environment for FIPS, set the following local options in the localopts file on every HCL Workload Automation agent in the network: 
      SSL Fips enabled        = yes
nm SSL port             = 31113

      SSL keystore file                    = "<TWA_home>/TWS/ssl/GSKit/TWSClientKeyStore.kdb"
SSL certificate keystore label       = "client"
SSL keystore pwd                     = "<TWA_home>/TWS/ssl/GSKit/TWSClientKeyStore.sth"
      Set the following local options for the CLI:
      CLI SSL keystore file                 = "<TWA_home>/TWS/ssl/GSKit/TWSClientKeyStore.kdb"
CLI SSL certificate keystore label    = "client"
CLI SSL keystore pwd                  = "<TWA_home>/TWS/ssl/GSKit/TWSClientKeyStore.sth"
      where <TWA_home> is the installation directory of the instance of HCL Workload Automation where the agent is installed.
      Note: On Windows workstations, the user, SYSTEM, must have read-permissions to read the GSKit FIPS certificates.

      For more information about setting local options and the localopts file, see Setting local options

  3. Restart the server on both the master domain manager and the Dynamic Workload Console workstation.
  4. On the dynamic agent workstations, add the following property to the JVMOptions in the JobManager.ini file: 
    -Dhttps.protocols=TLSv1.2
    The JobManager.ini is located in:
    On UNIX operating systems
    <TWA_DATA_DIR>/ITA/cpa/config/JobManager.ini
    On Windows operating systems
    <TWA_home>\TWS\ITA\cpa\config\JobManager.ini
  5. Restart the agent workstation.