Detections
Analytics

IBMW-LS-000520 - The WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.

Information

Application servers must use and meet requirements of the DOD Enterprise PKI infrastructure for application authentication. Encryption is only as good as the encryption modules used. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised due to weak algorithms. The use of TLS provides confidentiality of data in transit between the application server and client.

TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.

Satisfies: SRG-APP-000179-AS-000129, SRG-APP-000224-AS-000152, SRG-APP-000416-AS-000140, SRG-APP-000439-AS-000155, SRG-APP-000442-AS-000259, SRG-APP-000514-AS-000136

Solution

There are two ways to meet this requirement. Only one method is required.

If IBM JDK 8 is installed and configured to run with WebSphere Liberty, proceed with method (I).

If IBM Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty, proceed with method (II). Currently IBM Semeru supports FIPS on RedHat Enterprise Linux.

Method (I) IBM JDK 8 is configured to run with WebSphere Liberty:

1. Edit/Create the ${server.config.dir}/jvm.options file.
Edit/Add the following two properties:
Dcom.ibm.jsse2.usefipsprovider=true
Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS

2. Edit ${JAVA_HOME}/jre/lib/security/java.security file and locate the list of cryptographic providers. Edit/add the following four providers:

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.crypto.plus.provider.IBMJCEPlus

Method (II) Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty. Requires RedHat Enterprise Linux as the Host Operating System.

1. Log in as root or super user.

2. Enable FIPS on the RedHat Enterprise Linux.
$ fips-mode-setup --enable
$ fips-mode-setup --check

3. Update/create the ${server.config.dir}/jvm.options.
Edit/Add the following property:
Dsemeru.fips=true

4. Install NSS packages. Run "$ dnf install nss".

5. Import keystores to NSS Database by using "pk12util" command. Replace "changeit" for -W option to the desired password.

$ pk12util -i resources/security/key.p12 -W changeit -d /etc/pki/nssdb
pk12util: PKCS12 IMPORT SUCCESSFUL

6. Mark the imported certificates as a trusted certificate authority (CA).

$ certutil -M -n default -t "CT,CT,CT" -d /etc/pki/nssdb

7. List the contents of the NSS Database to confirm the alias name and the Trust Attributes.

$ certutil -L -d /etc/pki/nssdb
Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI
default CTu,Cu,Cu

8. Create a config file (pkcs11cfg.cfg) with the contents below. It will be used by ${server.config.dir}/server.xml.

name = NSS-FIPS
library = /usr/lib64/libsoftokn3.so
slot = 3
showInfo = true

9. Update the ${server.config.dir}/server.xml file to use the configuration file in its SSL configuration.

<ssl id="defaultSSLConfig"
 keyStoreRef="defaultKeyStore"
 sslProtocol="TLSv1.2" />
<keyStore id="defaultKeyStore" password="password used in -W parameter earlier here"
 location="${server.config.dir}/pkcs11cfg.cfg" type="PKCS11"
 fileBased="false" provider="SunPKCS11-NSS-FIPS"/>

9.1 Find the <keyStore/> configuration referenced in the ssl configuration as "keyStoreRef".
9.2 Set "provider" attribute to either "SunPKCS11-NSS-FIPS" or "PKCS11-NSS-FIPS".
9.3 Set the "type" attribute to "PKCS11"
9.4 Set the "fileBased" attribute to "false"
9.5 Set the "location" attribute to point to the NSS keystore configuration created in step 8 (pkcs11.cfg.cfg).
9.6 Verify the file is in a location that is accessible to Liberty.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_WebSphere_Liberty_Server_V2R2_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-7, 800-53|SC-8, 800-53|SC-8(2), 800-53|SC-13, 800-53|SC-23(3), CAT|I, CCI|CCI-000803, CCI|CCI-001188, CCI|CCI-002418, CCI|CCI-002422, CCI|CCI-002450, Rule-ID|SV-250339r1067571_rule, STIG-ID|IBMW-LS-000520, Vuln-ID|V-250339

Plugin: Unix

Control ID: aad839147b902bb6851e7aa7a597f9f65fce611e533b60066e4b77fd96def29a