Chapter 21 Configuring OpenSSO Enterprise 8.0 in FIPS Mode

This chapter describes how to configure Sun OpenSSO Enterprise in Federal Information Processing Standards (FIPS) 140 mode, including:

This chapter described how to enable FIPS mode for Sun Java System Web Server 7.0. To enable FIPS mode for other web containers, refer to the product documentation for the specific web container.

Enabling FIPS Mode for the NSS Database

To Enable FIPS Mode for the NSS Database

Enable FIPS mode for the NSS database using the Security Module Database Tool (modutil). For example:
```
modutil -fips true -dbdir path-to-nss-database
```
where path-to-nss-database represents the path to the NSS database.

For example, by default, for Web Server 7.0, the NSS database is in the config directory of the Web Server 7.0 instance.

For information about using modutil, see http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html.

Configuring FIPS Mode for Sun Java System Web Server 7.0

These procedures use Sun Java System Web Server 7.0 as the OpenSSO Enterprise web container with the NSS Certificate DB (certdb) as the key/certificate store.

Enabling FIPS Mode for Web Server 7.0

To Enable FIPS Mode for Web Server 7.0

If Web Server 7.0 has the Java Security Manager enabled, add the following additional permissions to the Web Server 7.0 server.policy file:

permission java.security.SecurityPermission "insertProvider.Mozilla-JSS";
permission java.security.SecurityPermission "putProviderProperty.Mozilla-JSS";
permission java.security.SecurityPermission "removeProvider.Mozilla-JSS";

Set the password for the internal PKCS11 token using either the Web Server 7.0 Administration Console or CLI command.

For the password requirements in FIPS mode, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf

For example, to set the password using the Web Server 7.0 wadm command:
```
wadm> set-token-pin --user=admin --password-file=admin.pwd
--host=serverhost --port=8989 --config=config1 --token=internal
```
Or, to set the password using the Web Server 7.0 Administration Console:
1. In the Administration Console, go to the Configuration page.
2. Click Certificates and then PKCS11 Tokens.
3. Click the PKCS11 token name (default is internal).
4. Check the Token State box.
5. Enter the password information.
6. Click Save.

If you modified files in the Web Server 7.0 config directory using modutil or certutil, pull the changes into the Web Server 7.0 Admin Server. For example:
```
wadm pull-config --user=admin --password-file=path-to-password-file
--host=server-host --port=8989 --config=config1 node1
```

Confirm that FIPS is enabled by restarting the Web Server 7.0 instance. You should see a new prompt for the certdb password or PIN. For example:
```
> Please enter the PIN for the "NSS FIPS 140-2 Certificate DB" token:
```

Configuring the Web Server 7.0 Transport Layer Security (TLS) to be FIPS 140 Compliant

To Configure the Web Server 7.0 TLS to be FIPS 140 Compliant

Click Configuration.

Click the server instance you want to configure.

Click the HTTP Listeners tab and then click the listener instance you want to configure.

Select the SSL tab in new popup window.

Disable SSL2 and SSL3, leaving only TLS.

Disable all non-FIPS Compliant TLS Cipher suite by removing them from the Selected list.

See the following list for the FIPS compliant TLS cipher suites.

Save your changes.

FIPS Compliant TLS Cipher Suites

TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Configuring FIPS Mode for OpenSSO Enterprise 8.0

To Configure FIPS Mode for OpenSSO Enterprise 8.0

Before You Begin

jss4.jar file - The jss4.jar file must be compatible with the NSS version you are using. If necessary, download a compatible jss4.jar file and copy it to the application or web container /lib directory.
Multiple OpenSSO Enterprise 8.0 instances - If you are configuring multiple OpenSSO Enterprise 8.0 instances that are part of a site, first add and configure all instances in the site in non-FIPS mode. Then, after all instances are added and configured for the site, configure the instances in FIPS mode.

Click Configuration, Servers and Sites, and then the Server Name instance.

Click Security.

Click Inheritance Settings.

Uncheck the Encryption class, FIPS Mode, and Secure Random Factory Class properties.

Click Save and then Back to Server Profile.

Change Encryption class to com.iplanet.services.util.JSSEncryption.

Change Secure Random Factory Class to com.iplanet.am.util.JSSSecureRandomFactoryImpl.

Check Yes for FIPS Mode.

Click Save and then the Advanced tab.

Change the com.iplanet.security.SSLSocketFactoryImpl property to com.iplanet.services.ldap.JSSSocketFactory.

Click Add and add following property and value:
- Property Name: opensso.protocol.handler.pkgs
- Property Value: com.iplanet.services.comm

Click Add and add following property and value:
- Property Name: com.iplanet.am.admin.cli.certdb.dir
- Property Value: path-to-FIPS-enabled-NSS-database

Click Save.

Restart the OpenSSO Enterprise 8.0 server instance.

OpenSSO Enterprise 8.0 FIPS Compliant Algorithms

OpenSSO Enterprise 8.0 uses the following FIPS compliant algorithms:

Hashes: SHA-1
Encryption: Triple Data Encryption Standard (Triple DES)
XML signature (XMLDSIG):
XML encryption:
- Triple Data Encryption Standard (Triple DES)
- AES_128_KeyWrap
- AES_192_KeyWrap
- AES_256_KeyWrap