Administer > System security > FIPS mode

FIPS mode

FIPS (Federal Information Processing Standards) are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within U.S. non-military government agencies and by U.S. government contractors and vendors who work with the agencies.

FIPS 140-2, “Security Requirements for Cryptographic Modules,” was issued by the U.S. National Institute of Standards and Technology (NIST) in May, 2001. The standard specifies the security requirements for cryptographic modules utilized within a security system that protects sensitive or valuable data.

For FIPS 140-2 compliance, Service Manager (SM) supports the implementation of FIPS validated AES-256 data encryption, TLS connections and Lightweight Single Sign-On (LW-SSO), and FIPS compliant random number generation algorithms.

Note Prior to version 9.50, Service Manager supported only FIPS 140-2 compliant data encryption. For backward compatibility, the legacy FIPS mode configuration is still supported. For details about the legacy FIPS mode configuration, see Configure legacy FIPS mode in Service Manager.

The following table describes two operation modes of the Service Manager server and clients.

Operation mode Description Notes

FIPS mode

(FIPS 140-2 compliant mode)

Supports FIPS 140-2 compliant cryptographic functions.

Both OpenJDK JRE and Oracle JRE are supported for Service Manager. However, Service Manager does not support enabling FIPS mode with OpenJDK. If you want to enable FIPS mode for Service Manager, use Oracle JRE or IBM JRE with Service Manager.

Non-FIPS mode

(Non-FIPS 140-2 compliant mode)

Utilizes existing cryptography without the 3rd-party FIPS 140-2 validated cryptographic modules.  

In FIPS mode, Service Manager supports the same authentication methods as in non-FIPS mode. See the following table.

Authentication mechanism Windows Client Web Client Mobility Client SRC
Password-based mechanism (local and LDAP) Yes Yes Yes Yes
Trusted Sign-On (TSO) Yes Yes Yes Yes
LW-SSO No Yes Yes Yes
X.509 certificate authentication (CAC) No Yes No Yes
SAML SSO No Yes Yes Yes
Chat Server No Yes No No
Chat Service No Yes No No

FIPS validated AES-256 data encryption

Starting with version 9.32, Service Manager (SM) supports the implementation of FIPS validated AES-256 data encryption for encrypted fields in the Service Manager database.

Note If FIPS mode is enabled, the encrypted fields cannot be retrieved through the legacy listener.

FIPS validated TLS connections

Starting with version 9.41p3, Service Manager supports the implementation of FIPS validated TLS connections, managed by a FIPS validated cryptographic provider. The following table describes the cryptographic providers that Service Manager uses in FIPS mode.

  • To enable FIPS mode in Service Manager, all truststore files and keystore files must use PKCS12 format.
  • The IBM® Java™ JCE (Java Cryptographic Extension) FIPS Provider (IBMJCEFIPS) is used instead for any of the following components:
    • The SM Web Tier and Mobility Client when deployed on WebSphere Application Server

    For more information, visit the IBM support website.

  • SM Smart Analytics uses an OEM-licensed version of Micro Focus IDOL, which does not support FIPS mode. For this reason, it is impossible to implement FIPS validated TLS connections between the SM Server and the IDOL Server; however, when the SM Server is running in FIPS mode, the IDOL Server can still connect to SM through standard SSL and Smart Analytics can still work correctly.
TLS connections between Cryptographic provider

SM Server and any of the following components:

  • Windows Client
  • Web Tier Client
  • Service Request Catalog (SRC)
  • Mobility Client
  • Chat Server
  • Chat Service
  • Web service integrations (when SM acts as a web services client or web services server)
RSA BSAFE Crypto-J

SM Server and Solr Search Engine

Note The SM Server connects to the Solr search server through TLS connections using the HTTPS protocol; however, when performing searching and indexing, the Solr search server receives requests from an HTTPS port and distributes the requests to the shards with the HTTP protocol.

RSA BSAFE Crypto-J
SRC and Solr Search Engine RSA BSAFE Crypto-J
SM Server and LDAP/Directory Services Server

OpenSSL FIPS Object Module

Service Manager provides a set of parameters or options that determine whether the SM Server and other components are running in FIPS mode. See the following table.

Component Parameter or option Description
SM Server fipsmode

Must be set to one of the following values to indicate whether the SM Server runs in FIPS mode:

  • 0 (default): non-FIPS mode
  • 2: FIPS mode
Windows Client The FIPS Mode checkbox in the Preferences window

Determines whether the Windows Client runs in FIPS mode:

  • Selected: FIPS mode
  • Unselected (default): non-FIPS mode
Web Tier The "fipsMode" parameter in the <Web Tier>/WEB-INF/webtier.properties file

Must be set to one of the following values to indicate whether the Web Tier runs in FIPS mode:

  • false (default): non-FIPS mode
  • true: FIPS mode
Mobility Client The "fipsMode" parameter in the <Mobility Client>/WEB-INF/webtier.properties file

Must be set to one of the following values to indicate whether the Mobility Client runs in FIPS mode:

  • false (default): non-FIPS mode
  • true: FIPS mode
Service Request Catalog (SRC)

Two parameters in the applicationContext.property file, which is located in the <SRC .war file>/WEB-INF/classes folder:

  • src.trustStoreType
  • src.keyStoreType

Both parameters do not exist in the out-of-box version of this file. To enable FIPS mode, you must manually add them and set them to "pkcs12" :

  • src.trustStoreType=pkcs12
  • src.keyStoreType=pkcs12
Chat Server The "fipsmode" parameter in the <Openfire_home>/conf/openfire.xml file

Must be set to true or false to indicate whether the Chat Server runs in FIPS mode:

  • <fipsmode>false</fipsmode>: non-FIPS mode
  • <fipsmode>true</fipsmode>: FIPS mode
Chat Service The securityConfig.fipsmode parameter in the <chat service>\conf\app.properties file

Must be set to true or false to indicate whether the Chat Service runs in FIPS mode:

  • false (default): non-FIPS mode
  • true: FIPS mode

FIPS validated LW-SSO

Service Manager 9.41p3 also adds support of the implementation of FIPS validated LW-SSO. When FIPS mode is enabled on the Service Manager Server side, you have the option to enable an LW-SSO framework that is implemented by using a FIPS 140-2 validated security provider, such as the JsafeJCE provider or IBMJCEFIPS provider.

The LW-SSO configuration file (lwssofmconf.xml) in each of the following components has been updated to support LW-SSO in FIPS mode:

  • SM Server
  • Web Tier
  • Mobility Client
  • SRC
  • Chat Server
  • Chat Service
  • Micro Focus Identity Manager (IdM) service

FIPS compliant random number generation algorithms

When running in FIPS mode, Service Manager uses FIPS compliant random number generation algorithms, as described in the following table.

Component Random number generation algorithm
SM Server Uses RAND_bytes in OpenSSL.
Windows Client Is hardcoded to use HMACDRBG.
Web Tier, or Mobility Client
  • When deployed with Oracle JRE: uses HMACDRBG256 by default. You can configure the JRE’s java.security file to use another FIPS compliant algorithm.
  • When deployed with IBM JRE: is hardcoded to use HASHDRBG.
SRC or Solr Search Engine
  • Uses HMACDRBG256 by default. You can configure the JRE’s java.security file to use another FIPS compliant algorithm.
  • Chat Server or Chat Service Uses HMACDRBG256 by default when deployed with Oracle JRE. You can configure the JRE’s java.security file to use another FIPS compliant algorithm.

     

    Related topics

    Parameter: fipsmode