Installing the cryptography extension and enabling FIPS compliance

The Federal Information Processing Standards (FIPS) compliance implementation of J2SE security is available for BMC CMDB web services. Before enabling FIPS compliance, you must install the Java Cryptography Extension to your CMDB Web Services installation. The Java Cryptography Extension enables 192-bit and 256-bit synchronous keys for use with AES-192 and AES-256 algorithms for your Web Services Security implementation.

Unlimited Strength Cryptography and FIPS-Compliance are not enabled out of the box, nor does CMDB Web Services provide the necessary Java security libraries needed to enable them.

You install the required libraries and then modify the node configuration to enable these features. You can install and enable Unlimited Strength Cryptography by itself; however, FIPS-Compliance requires Unlimited Strength Cryptography to be applied first.


To obtain and install the Java Cryptography Extension

To install this extension, obtain the Java Cryptography Extension from the vendor that distributes the Java Cryptography Extension for your installation of CMDB Web Services. BMC Helix CMDB uses 1.5 JREs from the following distributors:

  • Oracle (for Windows, Solaris, Linux, HP-UX platforms)
  • IBM (for AIX platform)

The Unlimited Strength Java Crytopgraphy Extension extends the functionality of the WS-Security implementation to support using 192-bit and 256-bit synchronous keys with AES-192 and AES-256 algorithms.

To apply this extension, you must download the extension for the JRE associated with your installation of CMDB Web Services. BMC Helix CMDB runs on 1.5 JREs from two distributors: Oracle (for Windows, Solaris, Linux, HPUX) and IBM (for AIX).

  1. Download the appropriate files from the following Web address: http://java.sun.com/javase/downloads/index_jdk5.jsp

    The [confluence_table-plus] macro is a standalone macro and it cannot be used inline.

  2. Stop the Tomcat server.
  3. Install the downloaded files into the lib/security directory of the JRE and JVM on which Tomcat 6 depends.
    These files overwrite the existing files.
  4. Restart the Tomcat server.
    The extended cryptography is applied, and the new algorithms are available to apply WS-Security policies.

To enable FIPS compliance

After applying the Unlimited Strength Java Cryptography Extension, you can enable FIPS compliance on your node.

  1. In a text editor, open the java.security file in the lib/security directory of the JRE and JDK.

  2. Add the library's representative implementing class as the first entry in the list of security providers, shifting all existing others by an increment of 1. 

    The order and type of security providers depends on existing providers. The following example shows one possibility.

    security.provider.1=sun.security.rsa.SunRsaSign
    security.provider.2=*** FIPS-COMPLAINT PROVIDER CLASS ***
    security.provider.3=sun.security.provider.Sun
    security.provider.4=com.sun.net.ssl.internal.ssl.Provider
    security.provider.5=com.sun.crypto.provider.SunJCE
    security.provider.6=sun.security.jgss.SunProvider
    security.provider.7=com.sun.security.sasl.Provider
    security.provider.8=org.bouncycastle.jce.provider.BouncyCastleProvider
  3. Fulfill other requirements that are specific to the implementation of the FIPS-compliant library, such as a Java property set through CATALINA_OPTS or through a registry entry when running Tomcat as a service.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*