Detections
Analytics
IBMW-LS-001200 - The WebSphere Liberty Server must use FIPS 140-3-approved encryption modules when authenticating users and processes.
Information
Encryption is only as good as the encryption modules in use. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised due to weak algorithms. The use of TLS provides confidentiality of data in transit between the application server and client. FIPS 140-3-approved TLS versions include TLS V1.0 or greater.TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.
Solution
There are two ways to meet this requirement using FIPS 140-3. Only one method is required.If IBM JDK 8 version 8.0.8.30 or later is installed and configured to run with WebSphere Liberty version 25.0.0.3 or later, proceed with method (I).
If IBM Semeru Runtimes version 11.0.29, 17.0.17, 21.0.9, 25.0.1 or higher is installed and configured with WebSphere Liberty version 25.0.0.12 or later, proceed with method (II).
Method (I) IBM JDK 8 (version 8.0.8.30 or later) with WebSphere Liberty (version 25.0.0.3 or later):
1. If Liberty server is running, stop it.
2. Edit/create the ${server.config.dir}/jvm.options file. Edit/add the following three properties:
-Xenablefips140-3
-Dcom.ibm.jsse2.usefipsprovider=true
-Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
3. If there are existing LTPA keys, delete the ltpa.keys file before restarting the server to generate new FIPS 140-3-compliant keys.
Default location: ${server.output.dir}/resources/security/ltpa.keys
A new ltpa.keys file will be automatically created when the Liberty server restarts with FIPS 140-3-compliant keys.
4. Restart the Liberty server to enable FIPS 140-3.
5. Verify TLS protocol is set to TLS 1.2 or TLS 1.3 in the ${server.config.dir}/server.xml file.
<ssl id="defaultSSLConfig" sslProtocol="TLSv1.2" />
or
<ssl id="defaultSSLConfig" sslProtocol="TLSv1.3" />
Alternative LTPA Key Creation Method:
To manually create LTPA keys with FIPS 140-3 approved algorithms using the securityUtility command:
1. Export the required system properties:
export JVM_ARGS="-Xenablefips140-3 -Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=2. Run the securityUtility createLTPAKeys command:
securityUtility createLTPAKeys --password=mypassword --passwordEncoding=aes
Important: If LTPA validation keys exist, delete these and generate new validation keys after FIPS 140-3 is enabled using the securityUtility createLTPAKeys command as shown above.
Method (II) IBM Semeru Runtimes with WebSphere Liberty (FIPS 140-3):
1. Liberty server is running, stop it.
2. Enable FIPS 140-3 using the securityUtility configureFIPS command. To enable across all servers, clients and tools (Installation level):
securityUtility configureFIPS
To enable for a specific server:
securityUtility configureFIPS --server=<server_name>
To enable for a specific client:
securityUtility configureFIPS --client=<client_name>
This command configures the FIPS enablement requirements and creates a Java security properties file.
3. (Optional) To create a custom profile in a specific location:
securityUtility configureFIPS --customProfileFile=<file_path>
The default profile locations are:
- Installation level: <Liberty install location>/wlp/etc/FIPS140-3-Liberty-Application.properties
- Server level: <server root>/resources/security/FIPS140-3-Liberty-Application.properties
- Client level: <client root>/resources/security/FIPS140-3-Liberty-Application.properties
4. Restart the Liberty server to enable FIPS 140-3.
When the server restarts after FIPS 140-3 is enabled:
- A new ltpa.keys file is automatically created with FIPS-approved algorithms.
- Existing ltpa.keys files are backed up to ltpa.keys.nofips.
5. Verify TLS protocol is set to TLS 1.2 or TLS 1.3 in the ${server.config.dir}/server.xml file.
<ssl id="defaultSSLConfig" sslProtocol="TLSv1.2" />
or
<ssl id="defaultSSLConfig" sslProtocol="TLSv1.3" />
6. SAML Configuration: If SAML is used, configure only FIPS 140-3-approved signature algorithms in the ${server.config.dir}/server.xml file.
Approved algorithms: SHA256, SHA384, SHA512, ECDSAwithSHA256, ECDSAwithSHA384, ECDSAwithSHA512
Example:
<samlWebSso20 id="defaultSP" signatureMethodAlgorithm="SHA256" />
Alternative LTPA Key Creation Method:
To manually create LTPA keys with FIPS 140-3-approved algorithms:
1. Configure FIPS 140-3 at the installation level (as shown in step 2 above).
2. Run the securityUtility createLTPAKeys command:
securityUtility createLTPAKeys --password=mypassword --passwordEncoding=aes
Important: If LTPA validation keys exist, delete these and generate new validation keys after FIPS 140-3 is enabled using the securityUtility createLTPAKeys command.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_WebSphere_Liberty_Server_V2R4_STIG.zip
Item Details
Audit Name: DISA IBM WebSphere Liberty Server STIG v2r4
Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|IA-7, 800-53|SC-8, 800-53|SC-8(2), 800-53|SC-13, 800-53|SC-23(3), CAT|I, CCI|CCI-000803, CCI|CCI-001188, CCI|CCI-002418, CCI|CCI-002422, CCI|CCI-002450, Rule-ID|SV-283668r1193262_rule, STIG-ID|IBMW-LS-001200, Vuln-ID|V-283668
Plugin: Unix
Control ID: ba26115cfea31de0acfbe34fd55393ab803f5606bfc0e1692a27114b79480674