Out of support

 

This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

Configuring an external Tomcat instance for FIPS-140

The Federal Information Processing Standard (FIPS-140) are standards for use in computer systems by all non-military government agencies and government contractors. For example, data encoding and encryption standards. For information about FIPS-140, see Configuring FIPS-140 mode.

To configure an external Tomcat instance for FIPS-140

If you plan to enable FIPS-140 and are installing to an external Tomcat server, perform these steps:

  1. Configure the Tomcat server for auto-deployment of .war files.
  2. Use the same keystore for both non-FIPS and FIPS versions of your server.xml file.
  3. Perform the following modifications to the server.xmlfile for non-FIPS and FIPS versions:
    1. Duplicate the original file to create a FIPS version (named server.xml.fips) and non-FIPS version (named server.xml.nofips).
    2. In the new FIPS version of the file, use the following ciphers attributes to force a higher level of encryption (or use your own values):

      ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128 CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_ DES_EDE_CBC_SHA"
    3. Add the XML comment to tag the file as FIPS-140: <!-- FIPS140 -->
  4. Perform the following modifications to the java.securityfile for non-FIPS and FIPS versions:
    1. Duplicate the original file, creating java.security.nofips and java.security.fips versions.
    2. In java.security.fips, make sure that the provider is the first one in the security providers list, with the remaining providers renumbered.

      For example, the following list places the JsafeJCE provider at the top of the list with a key suffix of 1, while the providers after JsafeJCE are renumbered to follow the first. The com.rsa.cryptoj.jce.kat.strategy and com.rsa.cryptoj.jce.fips140initialmode properties are placed after the security providers list.

      For those properties, use the exact values shown in the following example:

      security.provider.1=com.rsa.jsafe.provider.JsafeJCE
      security.provider.2=sun.security.provider.Sun
      security.provider.3=sun.security.rsa.SunRsaSign
      
      security.provider.10=sun.security.mscapi.SunMSCAPI
      com.rsa.cryptoj.jce.kat.strategy=on.load
      com.rsa.cryptoj.jce.fips140initialmode=FIPS140_SSL_MODE
Was this page helpful? Yes No Submitting... Thank you

Comments