Enabling FIPS Mode for Web Server 7.0 (Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide)

Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide

Enabling FIPS Mode for Web Server 7.0

To Enable FIPS Mode for Web Server 7.0

If Web Server 7.0 has the Java Security Manager enabled, add the following additional permissions to the Web Server 7.0 server.policy file:

permission java.security.SecurityPermission "insertProvider.Mozilla-JSS";
permission java.security.SecurityPermission "putProviderProperty.Mozilla-JSS";
permission java.security.SecurityPermission "removeProvider.Mozilla-JSS";

Set the password for the internal PKCS11 token using either the Web Server 7.0 Administration Console or CLI command.

For the password requirements in FIPS mode, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf

For example, to set the password using the Web Server 7.0 wadm command:
```
wadm> set-token-pin --user=admin --password-file=admin.pwd
--host=serverhost --port=8989 --config=config1 --token=internal
```
Or, to set the password using the Web Server 7.0 Administration Console:
1. In the Administration Console, go to the Configuration page.
2. Click Certificates and then PKCS11 Tokens.
3. Click the PKCS11 token name (default is internal).
4. Check the Token State box.
5. Enter the password information.
6. Click Save.

If you modified files in the Web Server 7.0 config directory using modutil or certutil, pull the changes into the Web Server 7.0 Admin Server. For example:
```
wadm pull-config --user=admin --password-file=path-to-password-file
--host=server-host --port=8989 --config=config1 node1
```

Confirm that FIPS is enabled by restarting the Web Server 7.0 instance. You should see a new prompt for the certdb password or PIN. For example:
```
> Please enter the PIN for the "NSS FIPS 140-2 Certificate DB" token:
```