Configure FIPS mode in the Web Tier

Prerequisites

Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Your web application server is running in FIPS mode. For Tomcat, you only need to make sure FIPS mode is already enabled in the oracle JRE; for WebSphere Application Server (WAS), you need to enable FIPS mode in both the IBM JRE and WAS (the administration console and a configuration file). For details, see the Web Tier section in Configure Java for FIPS mode.

You have already generated a CA certificates file and a client keystore for the Web Tier host. For details, see Generate FIPS validated certificates for the SM Server and other components.

The CA certificates file: \certs\smcacerts.p12
The Web Tier keystore file: \key\sun-sun-<Web Tier host FQDN>.p12 (for example, sun-sun-webhost.mycompany.net.p12)

You have enabled FIPS mode on the SM Server side. For details, see Configure FIPS mode in the Server.

Steps to enable FIPS mode in the Web Tier

To configure FIPS mode in the web client, follow these steps:

Copy the CA certificates file and the Web Tier client keystore to the Web Tier’s WEB-INF folder:

smcacerts.p12
sun-sun-<Web Tier host FQDN>.p12

Open the Web Tier configuration file (<web tier>\WEB-INF\web.xml) in a text editor.

Make sure the serverHost parameter is specified with the FQDN of the SM Server host and the serverPort parameter with the http port (for example, 13080) of the SM Server.

The following is an example.

<init-param>
      <!-- Specify the HPE Service Manager server host and port location -->
      <param-name>serverHost</param-name>
      <param-value>smserver.mycompany.net</param-value>
</init-param>

<init-param>
      <param-name>serverPort</param-name>
      <param-value>13080</param-value>
</init-param>

Locate the customize-folder parameter. If you have not configured the customize-folder parameter before, it looks like the following.

<!-- 
    branding related images and configuration files are stored in this folder, 
    specify the full path of a folder which has write privilege
  -->
  <context-param>
    <param-name>customize-folder</param-name>
    <param-value/>
 </context-param>

Create a customization directory for the Web Tier, and configure this directory in the customize-folder parameter.

The following is an example:

<context-param>
    <param-name>customize-folder</param-name>
    <param-value>C:\Temp\customize-folder</param-value>
</context-param>

Copy the webtier.properties file from the <web tier>\WEB-INF directory to the config subfolder of the customization directory.

For example:

C:\Temp\customize-folder\config\webtier.properties

Tip The <customize-folder> is intended to be used to store all customization files (such as client keystore password and rebranding images) for the Web Tier.

Open the webtier.properties files in the customization folder with a text editor.

The out-of-box content of this file is shown in the following:

fipsMode=false
# password of client keystore
keystorePassword=***~FEFE829A6CE84A71D1A33108DEEF8FBEA96DEFEF
# password of trust store
cacertsPassword=***~FEFE829A6CE84A71D1A33108DEEF8FBEA96DEFEF
# Positive number between 1-500
maxMessageNumber=50

Enable FIPS mode and configure the passwords of the CA certificates file and Web Tier client keystore file.

The following is an example:

fipsMode=true
# password of client keystore
keystorePassword=clientkeystore
# password of trust store
cacertsPassword=changeit
# Positive number between 1-500
maxMessageNumber=50

Save and close the webtier.properties file.

Note Later, when you restart the web application server, the passwords you entered in this file will get encrypted automatically.

Locate the following sections in the <web tier>\WEB-INF\web.xml file.

<!-- Control the encryption of network communication between the application server
         and the HPE Service Manager server -->
    <init-param>
     <param-name>ssl</param-name>
      <param-value>false</param-value>
    </init-param>

    <!-- Specify the CA certificate store to use in encrypted communication -->
    <init-param>
      <!-- If this value is empty, the JDK's default jre/lib/security/cacerts file is used -->
      <!-- If this is a relative path, it will be relative to the web application's deploy directory
           but still needs a leading slash -->
      <param-name>cacerts</param-name>
      <param-value>/WEB-INF/cacerts</param-value>
    </init-param>
    <!-- Specify the client's private keystore to use in encrypted communication. This is necessary
         for client authentication when using single sign-on, but not for a standard SSL connection. -->
    <!-- If this is a relative path, it will be relative to the web application's deploy directory
         but still needs a leading slash -->
    <init-param>
      <param-name>keystore</param-name>
      <param-value/>

Configure the three parameters as shown in the following, and save the web.xml file.

<init-param>
      <param-name>ssl</param-name>
      <param-value>true</param-value>
    </init-param>

    <!-- Specify the CA certificate store to use in encrypted communication -->
    <init-param>
      <!-- If this value is empty, the JDK's default jre/lib/security/cacerts file is used -->
      <!-- If this is a relative path, it will be relative to the web application's deploy directory
           but still needs a leading slash -->
      <param-name>cacerts</param-name>
      <param-value>/WEB-INF/smcacerts.p12</param-value>
    </init-param>
    <!-- Specify the client's private keystore to use in encrypted communication. This is necessary
         for client authentication when using single sign-on, but not for a standard SSL connection. -->
    <!-- If this is a relative path, it will be relative to the web application's deploy directory
         but still needs a leading slash -->
    <init-param>
      <param-name>keystore</param-name>
      <param-value>/WEB-INF/sun-sun-webhost.mycompany.net.p12</param-value>
</init-param>

Note When FIPS mode is enabled in the webtier.properties file, the JCE provider parameters are no longer needed. The Web Tier is hardcoded to use the JCE provider defined in the Web Tier's JRE. For this reason, do not configure the JCE provider parameters, which are provided only for backward compatibility.

</init-param>
    <!-- Specify the JCE Provider name here -->
    <init-param>
      <param-name>JCEProviderName</param-name>
      <param-value/>
    </init-param>
    <!-- Specify the JCE Provider class name here, the full name includes the package name -->
    <init-param>
      <param-name>JCEProviderClassName</param-name>
      <param-value/>
 </init-param>

Restart your web application server for your configuration to take effect.

Launch your Web Tier client URL in a browser, and log in with your user account.

If FIPS mode has been successfully enabled in the Web Tier, you should be successfully logged in.

Next step: