Configuring FIPS compliance
Configuring FIPS compliance for your network.
About this task
Perform the following configuration steps to prepare the master domain manager and the Dynamic Workload Console for FIPS compliance.
Procedure
-
On both the master domain manager and the
Dynamic Workload Console workstations, perform the
following steps:
-
Configure IBM® JDK with FIPS enabled on the server. Create
a backup and replace JavaExt/jre with
IBM_JDK_PATH>/jre.
-
Configure batch reports for FIPS. Edit the SDK
java.security file in the path
<IBM_JDK_PATH>/jre/lib/security/java.security
to insert the IBMJCEFIPS provider
(com.ibm.crypto.fips.provider.IBMJCEFIPS). IBMJCEFIPS
must precede the IBMJCE provider in the provider list.
- In the security.provider list, modify the
entry containing IBMJCE and add it to the top of the list
as
follows:
#
# List of providers and their preference orders (see above):
#
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=sun.security.provider.Sun
security.provider.11=com.ibm.security.cmskeystore.CMSProvider
- On RedHat Enterprise Linux® server, check the
securerandom.source property in the
java.security file and ensure the value
is specified as
follows:
securerandom.source=file:/dev/./urandom
-
Configure the WebSphere Application Server Liberty Base
jvm.options file, located in
<TWA_DATA_DIR>/usr/servers/engineServer/configDropins/overrides/jvm.options
on the master, and in <DWC_DATA_dir>/usr/servers/dwcServer/configDropins/overrides/jvm.options
on the Dynamic Workload Console,
to enable FIPS as follows:
Dcom.ibm.jsse2.usefipsprovider=true
-
On the master domain manager workstation, perform
the following steps:
-
Comment the following properties in the eif.templ
file located in the path:
<TWA_DATA_DIR>/stdlist/appserver/engineServer/temp/TWS/EIFListener/eif.templ
as follows:
#SSL_ChannelSSLTruststoreAlgorithm=SunX509
#SSL_ChannelSSLKeystoreAlgorithm=SunX509
-
To prepare your environment for FIPS, set the following local options in the
localopts file on every HCL Workload Automation agent in the network:
SSL Fips enabled = yes
nm SSL port = 31113
SSL keystore file = "<TWA_home>/TWS/ssl/GSKit/TWSClientKeyStore.kdb"
SSL certificate keystore label = "client"
SSL keystore pwd = "<TWA_home>/TWS/ssl/GSKit/TWSClientKeyStore.sth"
Set the following local options for the
CLI:
CLI SSL keystore file = "<TWA_home>/TWS/ssl/GSKit/TWSClientKeyStore.kdb"
CLI SSL certificate keystore label = "client"
CLI SSL keystore pwd = "<TWA_home>/TWS/ssl/GSKit/TWSClientKeyStore.sth"
where
<
TWA_home> is the installation directory
of the instance of
HCL Workload Automation where the agent is installed.
Note: On Windows™ workstations, the user,
SYSTEM, must have read-permissions to read the GSKit
FIPS certificates.
For more information about
setting local options and the localopts file,
see Setting local options
-
Restart the server on both the master domain manager and the Dynamic Workload Console workstation.
-
On the dynamic agent workstations, add the following property to the
JVMOptions in the JobManager.ini file:
-Dhttps.protocols=TLSv1.2
The
JobManager.ini is
located in:
On UNIX™ operating systems
- <TWA_DATA_DIR>/ITA/cpa/config/JobManager.ini
On Windows™ operating systems
- <TWA_home>\TWS\ITA\cpa\config\JobManager.ini
-
Restart the agent workstation.
Have feedback?
Google Analytics is used to store comments and ratings. To provide a comment or rating for a topic, click Accept All Cookies or Allow All in Cookie Preferences in the footer of this page.