Configure FIPS mode in the Web Tier

Once you have enabled FIPS mode on the Service Manager (SM) Server side, you need to enable FIPS mode in the Web Tier.

Prerequisites

  • Your web application server is running in FIPS mode. For Tomcat, you only need to make sure FIPS mode is already enabled in the oracle JRE; for WebSphere Application Server (WAS), you need to enable FIPS mode in both the IBM JRE and WAS (the administration console and a configuration file). For details, see the Web Tier section in Configure Java for FIPS mode.

  • You have already generated a CA certificates file and a client keystore for the Web Tier host. For details, see Generate FIPS validated certificates for the SM Server and other components.

    • The CA certificates file: \certs\smcacerts.p12
    • The Web Tier keystore file: \key\sun-sun-<Web Tier host FQDN>.p12 (for example, sun-sun-webhost.mycompany.net.p12)

Steps to enable FIPS mode in the Web Tier

To configure FIPS mode in the web client, follow these steps:

  1. Copy the CA certificates file and the Web Tier client keystore to the Web Tier’s WEB-INF folder:

    • smcacerts.p12
    • sun-sun-<Web Tier host FQDN>.p12
  2. Open the Web Tier configuration file (<web tier>\WEB-INF\web.xml) in a text editor.
  3. Make sure the serverHost parameter is specified with the FQDN of the SM Server host and the serverPort parameter with the http port (for example, 13080) of the SM Server.

    The following is an example.

    <init-param>
          <!-- Specify the HPE Service Manager server host and port location -->
          <param-name>serverHost</param-name>
          <param-value>smserver.mycompany.net</param-value>
    </init-param>
    
    <init-param>
          <param-name>serverPort</param-name>
          <param-value>13080</param-value>
    </init-param>
  4. Locate the customize-folder parameter. If you have not configured the customize-folder parameter before, it looks like the following.

    <!-- 
        branding related images and configuration files are stored in this folder, 
        specify the full path of a folder which has write privilege
      -->
      <context-param>
        <param-name>customize-folder</param-name>
        <param-value/>
     </context-param>
    
  5. Create a customization directory for the Web Tier, and configure this directory in the customize-folder parameter.

    The following is an example:

    <context-param>
        <param-name>customize-folder</param-name>
        <param-value>C:\Temp\customize-folder</param-value>
    </context-param>
    
  6. Copy the webtier.properties file from the <web tier>\WEB-INF directory to the config subfolder of the customization directory.

    For example:

    C:\Temp\customize-folder\config\webtier.properties

    Tip The <customize-folder> is intended to be used to store all customization files (such as client keystore password and rebranding images) for the Web Tier.

  7. Open the webtier.properties files in the customization folder with a text editor.

    The out-of-box content of this file is shown in the following:

    fipsMode=false
    # password of client keystore
    keystorePassword=***~FEFE829A6CE84A71D1A33108DEEF8FBEA96DEFEF
    # password of trust store
    cacertsPassword=***~FEFE829A6CE84A71D1A33108DEEF8FBEA96DEFEF
    # Positive number between 1-500
    maxMessageNumber=50
    
  8. Enable FIPS mode and configure the passwords of the CA certificates file and Web Tier client keystore file. 

    The following is an example:

    fipsMode=true
    # password of client keystore
    keystorePassword=clientkeystore
    # password of trust store
    cacertsPassword=changeit
    # Positive number between 1-500
    maxMessageNumber=50
    

    Save and close the webtier.properties file.

    Note Later, when you restart the web application server, the passwords you entered in this file will get encrypted automatically.

  9. Locate the following sections in the <web tier>\WEB-INF\web.xml file.

    <!-- Control the encryption of network communication between the application server
             and the HPE Service Manager server -->
        <init-param>
         <param-name>ssl</param-name>
          <param-value>false</param-value>
        </init-param>
    
        <!-- Specify the CA certificate store to use in encrypted communication -->
        <init-param>
          <!-- If this value is empty, the JDK's default jre/lib/security/cacerts file is used -->
          <!-- If this is a relative path, it will be relative to the web application's deploy directory
               but still needs a leading slash -->
          <param-name>cacerts</param-name>
          <param-value>/WEB-INF/cacerts</param-value>
        </init-param>
        <!-- Specify the client's private keystore to use in encrypted communication. This is necessary
             for client authentication when using single sign-on, but not for a standard SSL connection. -->
        <!-- If this is a relative path, it will be relative to the web application's deploy directory
             but still needs a leading slash -->
        <init-param>
          <param-name>keystore</param-name>
          <param-value/>
    
  10. Configure the three parameters as shown in the following, and save the web.xml file.

    <init-param>
          <param-name>ssl</param-name>
          <param-value>true</param-value>
        </init-param>
    
        <!-- Specify the CA certificate store to use in encrypted communication -->
        <init-param>
          <!-- If this value is empty, the JDK's default jre/lib/security/cacerts file is used -->
          <!-- If this is a relative path, it will be relative to the web application's deploy directory
               but still needs a leading slash -->
          <param-name>cacerts</param-name>
          <param-value>/WEB-INF/smcacerts.p12</param-value>
        </init-param>
        <!-- Specify the client's private keystore to use in encrypted communication. This is necessary
             for client authentication when using single sign-on, but not for a standard SSL connection. -->
        <!-- If this is a relative path, it will be relative to the web application's deploy directory
             but still needs a leading slash -->
        <init-param>
          <param-name>keystore</param-name>
          <param-value>/WEB-INF/sun-sun-webhost.mycompany.net.p12</param-value>
    </init-param>
    

    Note When FIPS mode is enabled in the webtier.properties file, the JCE provider parameters are no longer needed. The Web Tier is hardcoded to use the JCE provider defined in the Web Tier's JRE. For this reason, do not configure the JCE provider parameters, which are provided only for backward compatibility.

    </init-param>
        <!-- Specify the JCE Provider name here -->
        <init-param>
          <param-name>JCEProviderName</param-name>
          <param-value/>
        </init-param>
        <!-- Specify the JCE Provider class name here, the full name includes the package name -->
        <init-param>
          <param-name>JCEProviderClassName</param-name>
          <param-value/>
     </init-param>
    
  11. Restart your web application server for your configuration to take effect.

  12. Launch your Web Tier client URL in a browser, and log in with your user account.

    If FIPS mode has been successfully enabled in the Web Tier, you should be successfully logged in.

Next step:

Configure FIPS mode in the Mobility Client