To Configure FIPS Mode for OpenSSO Enterprise 8.0

Before You Begin

• jss4.jar file - The jss4.jar file must be compatible with the NSS version you are using. If necessary, download a compatible jss4.jar file and copy it to the application or web container /lib directory.

• Multiple OpenSSO Enterprise 8.0 instances - If you are configuring multiple OpenSSO Enterprise 8.0 instances that are part of a site, first add and configure all instances in the site in non-FIPS mode. Then, after all instances are added and configured for the site, configure the instances in FIPS mode.

1. Log in to the OpenSSO Administration Console.

2. Click Configuration, Servers and Sites, and then the Server Name instance.

3. Click Security.

4. Click Inheritance Settings.

5. Uncheck the Encryption class, FIPS Mode, and Secure Random Factory Class properties.

6. Click Save and then Back to Server Profile.

7. Change Encryption class to com.iplanet.services.util.JSSEncryption.

8. Change Secure Random Factory Class to com.iplanet.am.util.JSSSecureRandomFactoryImpl.

9. Check Yes for FIPS Mode.

10. Click Save and then the Advanced tab.

11. Change the com.iplanet.security.SSLSocketFactoryImpl property to com.iplanet.services.ldap.JSSSocketFactory.

12. Click Add and add following property and value:

    • Property Name: opensso.protocol.handler.pkgs

    • Property Value: com.iplanet.services.comm

13. Click Add and add following property and value:

    • Property Name: com.iplanet.am.admin.cli.certdb.dir

    • Property Value: path-to-FIPS-enabled-NSS-database

14. Click Save.

15. Restart the OpenSSO Enterprise 8.0 server instance.