Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Words and Phrases
| Search for | Example | Results |
|---|---|---|
| A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
|
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Using Boolean Operators
| Search for | Operator | Example |
|---|---|---|
|
Two or more words in the same topic |
|
|
| Either word in a topic |
|
|
| Topics that do not contain a specific word or phrase |
|
|
| Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
| A combination of search types | ( ) parentheses |
|
- Configuring FIPS mode in Service Manager
- Download JCE unlimited strength policy files
- Configure Java for FIPS mode
- Generate FIPS validated certificates for the SM Server and other components
- Configure FIPS mode in the Server
- Configure FIPS mode in the Windows Client
- Configure FIPS mode in the Web Tier
- Configure FIPS mode in the Mobility Client
- Configure FIPS mode in Service Request Catalog (SRC)
- Configure FIPS mode in the Solr Search Engine
- Configure FIPS mode in the Chat Server
- Configure FIPS mode in the Chat Service
- Configure FIPS mode in the IdM Service
Configure Java for FIPS mode
To enable Service Manager (SM) to run in FIPS mode, you must configure the JRE instances that the SM components use. The following describes the JRE configurations required for each SM component.
Important Service Manager does not support enabling FIPS mode with OpenJDK. To enable FIPS mode for Service Manager, use Oracle JDK or IBM JDK as needed.
Server
For the Service Manager Server, you only need to install Oracle JRE 8 and update the Oracle JRE to use the unlimited strength JCE policy files appropriate for your specific JRE instance. For detailed instructions, see JRE support and Download JCE unlimited strength policy files.
Windows Client
The Windows Client comes with an embedded JRE (OpenJDK 8). You need to do the following:
- Replace the OpenJDK JRE with Oracle JRE. For details, see JRE support.
- Update the two policy files in the <Service Manager installation path>\Client\jre\lib\security directory with the unlimited strength policy files you have downloaded from Oracle. For detailed instructions, see Download JCE unlimited strength policy files.
Web Tier
The configuration steps vary with the web application server on which the Service Manager Web Tier is deployed.
For Tomcat
If the SM Web Tier is deployed on any of these web application servers, perform the following JRE configuration steps:
-
Copy the CryptoJ jars (cryptojce-x.x.x.jar, cryptojcommon-x.x.x.jar and jcmFIPS-x.x.x.jar) from the Web Tier's \WEB-INF\lib directory to your \jre\lib\ext directory.
Note In the jar file names, the placeholder ("x.xx") represents the version number of the jar files, which may vary with each release.
For example:
From: C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\webtier-9.xx\WEB-INF\lib
To: C:\Program Files\Java\jre1.8.0_65\lib\ext or C:\Program Files\Java\jdk1.8.0_65\jre\lib\ext
- Modify the jre/lib/security/java.security file as described in the following steps:
Configure the JsafeJCE provider by updating and rearranging the list of the providers as shown in the following (where changes are highlighted in bold).
security.provider.1=com.rsa.jsafe.provider.JsafeJCE
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=sun.security.ec.SunEC
security.provider.5=com.sun.net.ssl.internal.ssl.Provider JsafeJCE
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
security.provider.11=sun.security.mscapi.SunMSCAPI
Configure Crypto-J for FIPS 140-2 compliant operations by adding the following lines (for example, you can add them to the end of the file):
com.rsa.cryptoj.fips140initialmode=FIPS140_SSL_MODE com.rsa.cryptoj.kat.strategy=on.load
Configure a FIPS validated random number generation algorithm as the default one for Crypto-J, by adding the following line (for example, you can add it to the end of the file):
com.rsa.crypto.default.random=HMACDRBG256
Note Crypto-J uses HMACDRBG256 as the default random algorithm when no other random number generation algorithm is specified. If required, you can change this value to another valid value, for example, HMACDRBG192.
Update the keystore.type property to PKCS12 as follows:
keystore.type=PKCS12
- Replace the policy files in the jre\lib\security folder with the JCE Unlimited Strength Jurisdiction Policy Files. For detailed instructions, see Download JCE unlimited strength policy files.
For WebSphere Application Server
Caution Before you proceed, check that your are using WebSphere version 8.5 (8.5.5.2 or a higher) and IBM JDK 7.1 (7.1.3.10 or higher). If you are using an earlier version of WebSphere or JRE, you must upgrade to a supported version; otherwise, FIPS compliant random number generation algorithms will not be supported.
Note If the SM Web Tier is deployed on WebSphere Application Server (WAS), you need to run WAS in FIPS mode. In addition to JRE configuration steps, you also need to enable FIPS 140-2 in the WAS administration console and configure FIPS mode in the ssl.client.props file. To do this, complete the following tasks.
Task 1: Configure WAS JRE for FIPS mode
If the SM Web Tier is deployed on WebSphere Application Server, perform the following JRE configuration steps:
-
Configure the FIPS provider in the java.security file.
WebSphere Application Server provides a FIPS-validated provider named IBMJCEFIPS. Use this provider when enabling FIPS mode in WebSphere Application Server. To do this, edit the java.security file in [WAS_HOME]\ java\jre\lib\security to include IBMJCEFIPS as the FIPS provider. In this example, we are considering the use of IBM SoftwareDevelopment Kit (SDK).
-
Include the FIPS provider in the list of providers:
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS -
Rearrange the rest of the providers in the list as shown in the following:
# # List of providers and their preference orders (see above): # security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.2=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.jsse2.IBMJSSEProvider2 security.provider.5=com.ibm.security.jgss.IBMJGSSProvider security.provider.6=com.ibm.security.cert.IBMCertPath security.provider.7=com.ibm.security.cmskeystore.CMSProvider security.provider.8=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.9=com.ibm.security.sasl.IBMSASL security.provider.10=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.11=com.ibm.xml.enc.IBMXMLEncProvider security.provider.12=org.apache.harmony.security.provider.PolicyProvider
-
-
Replace the policy files in the jre\lib\security folder with the JCE Unlimited Strength Jurisdiction Policy Files. For detailed instructions, see Download JCE unlimited strength policy files.
Task 2: Configure FIPS mode in WAS
To run WebSphere Application Server (WAS) in FIPS mode, you must continue to perform the following additional configuration steps in WAS:
- Enable FIPS through the WebSphere Application Server administrative console.
- Go to Security > SSL Certificate and Key Management > Manage FIPS.
- Select Enable FIPS 140-2, and click Apply.
- In the next view, click Save.
- Configure FIPS properties in the ssl.client.props file. To do this, edit the ssl.client.props file in the [WAS_HOME]\ profiles\AppSrv01\properties folder. In this example, we use AppSrv01 as the WebSphere profile.
Change the com.ibm.security.useFIPS property from false to true:
com.ibm.security.useFIPS=true
Ensure that the com.ibm.ssl.protocol property is set to
TLS. To do this, change the com.ibm.ssl.protocol property from SSL_TLS to TLS:com.ibm.ssl.protocol=TLS
- Restart WebSphere Application Server.
Service Request Catalog (SRC)
SRC must be deployed on Tomcat. You need to configure the JRE used by SRC's Tomcat for FIPS mode. The steps are the same as those for the SM Web Tier. For details, see the steps for Tomcat in the Web Tier section.
Note The three CryptoJ jars (cryptojce-x.x.x.jar, cryptojcommon-x.x.x.jar and jcmFIPS-x.x.x.jar) are located in the \WEB-INF\lib folder of the SRC .war file.
Mobility Client
The Mobility Client can be deployed on either Tomcat or WebSphere. You need to configure the JRE used by the web application server (Tomcat or WebSphere) for FIPS mode. The steps are the same as those for the SM Web Tier. For details, see the steps for Tomcat or WebSphere in the Web Tier section.
Note The three CryptoJ jars (cryptojce-6.2.jar, cryptojcommon-6.2.jar and jcmFIPS-6.2.jar) are located in the \WEB-INF\lib folder of the Mobility Client .war file.
Solr Search Engine
The Solr Search Engine comes with an embedded Tomcat instance. To enable FIPS mode, you need to configure the JRE used by the embedded Tomcat instance. The steps are the same as those for the Web Tier. For details, see the Tomcat part in Web Tier.
Note The Solr Search Engine installation does not include the three CryptoJ jars (cryptojce-6.2.jar, cryptojcommon-6.2.jar and jcmFIPS-6.2.jar). You can copy them from the SM Server's RUN\lib folder.
Openfire Chat Server
To run Service Manager Collaboration in FIPS mode, you must update the 32-bit Oracle JRE 8 that you installed for the Openfire chat server.
To do this, you need to copy the JCE Unlimited Strength Jurisdiction Policy Files to the jre/lib/security/ directory to overwrite the two existing policy files. For detailed instructions, see Download JCE unlimited strength policy files.
Follow these JRE configuration steps:
-
Copy the CryptoJ jars (cryptojce-6.2.jar, cryptojcommon-6.2.jar and jcmFIPS-6.2.jar) from the Web Tier's \WEB-INF\lib directory to your \jre\lib\ext directory. For example:
From: C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\webtier-9.xx\WEB-INF\lib
To: C:\Program Files\Java\jre1.8.0_65\lib\ext or C:\Program Files\Java\jdk1.8.0_65\jre\lib\ext
-
Modify the jre/lib/security/java.security file as described in the following steps:
-
Configure the JsafeJCE provider by updating and rearranging the list of the providers as shown in the following (where changes are highlighted in bold).
security.provider.1=com.rsa.jsafe.provider.JsafeJCE
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=sun.security.ec.SunEC
security.provider.5=com.sun.net.ssl.internal.ssl.Provider JsafeJCE
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
security.provider.11=sun.security.mscapi.SunMSCAPI
-
Configure Crypto-J for FIPS 140-2 compliant operations by adding the following lines (for example, you can add them to the end of the file):
com.rsa.cryptoj.fips140initialmode=FIPS140_SSL_MODE com.rsa.cryptoj.kat.strategy=on.load
-
Configure a FIPS validated random number generation algorithm as the default one for Crypto-J, by adding the following line (for example, you can add it to the end of the file):
com.rsa.crypto.default.random=HMACDRBG256
Note Crypto-J uses HMACDRBG256 as the default random algorithm when no other random number generation algorithm is specified. If required, you can change this value to another valid value, for example, HMACDRBG192.
-
Update the keystore.type property to PKCS12 as follows:
keystore.type=PKCS12
-
- Replace the policy files in the jre\lib\security folder with the JCE Unlimited Strength Jurisdiction Policy Files. For detailed instructions, see Download JCE unlimited strength policy files.
IdM Service
The IdM service must be deployed on Tomcat. You need to configure the JRE used by the IdM Tomcat for FIPS mode. The steps are the same as those for the SM Web Tier. For details, see the steps for Tomcat in the Web Tier section.
Next step:
Generate FIPS validated certificates for the SM Server and other components
