Configuring compliance for FIPS 140-2 in DWA

You can configure IBM® Engineering Requirements Management DOORS® - Web Access (DWA) to communicate over secure sockets in compliance with Federal Information Processing Standard (FIPS) 140-2 Level 1. That standard defines the security requirements that must be satisfied by a cryptographic module that is used in a security system to protect unclassified information in IT systems.

About this task

DWA uses the IBMJSSE2 provider as the Java™ Secure Socket Extension (JSSE) provider. IBMJSSE2 does not need FIPS 140-2 approval because it delegates encryption and signature functions to a Java Cryptography Extension (JCE) provider. DWA uses the IBMJCEFIPS provider to encrypt data. IBMJCEFIPS is approved for FIPS 140-2.

Configuring DWA to use the IBMJCEFIPS provider involves these steps:
  • Edit the IBM SDK java.security file to include the IBMJCEFIPS and IBMJCE providers and to specify the IBM secure sockets library.
  • Edit the Apache Tomcat startup script file to set the system property that specifies the FIPS 140-2 compliant setting.
  • Edit the Apache Tomcat server configuration file to restrict https communication to protocols and cipher suites that are supported by FIPS 140-2.

Procedure

  1. Open the java.security file in an editor. That file is in the DWA installation directory in the OS JRE library; for example,
    <DOORSWebAccess_install_dir>\version\win32\jre\lib\security
  2. In the file, add these entries to the list of providers:
    security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
    security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
  3. Renumber the other providers in the list so that it includes these entries:
    security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
    security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.security.sasl.IBMSASL
    security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.10=org.apache.harmony.security.provider.PolicyProvider
    security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGOE
  4. Save and close the file.
  5. Open the Apache Tomcat startup script file in an editor.
    • On Windows systems, the server.start.bat script file is in the DWA installation directory; for example,
      <DOORSWebAccess_install_dir>\version
      Near the bottom of the file, before the cd %CATALINA_HOME%\bin entry, add the set JAVA_OPTS entry for the com.ibm.jsse2.usefipsprovider parameter:
      set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.usefipsprovider=true 
      
      cd %CATALINA_HOME%\bin
      call ".\startup.bat"
    • On Linux systems, the server.start.sh script file is in the DWA installation directory. Before the export JAVA_OPTS entry, add the JAVA_OPTS entry for the com.ibm.jsse2.usefipsprovider parameter:
      JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.usefipsprovider=true"
      
      export JAVA_OPTS
  6. Save and close the file.
  7. Open the Apache Tomcat server.xml file in an editor. That file is in the DWA installation in the server/conf directory; for example,
    <DOORSWebAccess_install_dir>\version\server\conf
  8. In the HTTPS connector section, which is described in Configuring DWA to use SSL or TLS, set the sslProtocol value to the minimum TLS version; for example:
    sslProtocol="TLS"
    This setting uses the strongest TLS version during communication between the server and a specific client.
  9. Set the cipher suites to further restrict what the server will accept; for example:
    ciphers="SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
        SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
    For a list of supported cipher suites, see "IBM JSSE FIPS Cipher Suites" in the Related information.

What to do next

Configure the browser to send at the least the minimum TLS version that the Apache Tomcat server accepts. Microsoft Internet Explorer might not have TLS enabled. To enable TLS, open Internet Explorer and click Tools > Internet Options. On the Advanced tab, select Use TLS version, where version is the minimum client version that the server accepts.

If you use providers that are approved by FIPS 140-2, ensure that the certificates and keystores include supported algorithms. For a list of supported key and signature algorithms, see "The Java FIPS-approved providers, IBMJSSEFIPS and IBMJCEFIPS."


Feedback