Configuring FIPS Mode for Sun Java System Web Server 7.0

These procedures use Sun Java System Web Server 7.0 as the OpenSSO Enterprise web container with the NSS Certificate DB (certdb) as the key/certificate store.

• Enabling FIPS Mode for Web Server 7.0

• Configuring the Web Server 7.0 Transport Layer Security (TLS) to be FIPS 140 Compliant

Enabling FIPS Mode for Web Server 7.0

To Enable FIPS Mode for Web Server 7.0

1. If Web Server 7.0 has the Java Security Manager enabled, add the following additional permissions to the Web Server 7.0 server.policy file:

   permission java.security.SecurityPermission "insertProvider.Mozilla-JSS";
   permission java.security.SecurityPermission "putProviderProperty.Mozilla-JSS";
   permission java.security.SecurityPermission "removeProvider.Mozilla-JSS";

2. Set the password for the internal PKCS11 token using either the Web Server 7.0 Administration Console or CLI command.

   For the password requirements in FIPS mode, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf

   For example, to set the password using the Web Server 7.0 wadm command:

   wadm> set-token-pin --user=admin --password-file=admin.pwd
   --host=serverhost --port=8989 --config=config1 --token=internal

   Or, to set the password using the Web Server 7.0 Administration Console:

   1. In the Administration Console, go to the Configuration page.

   2. Click Certificates and then PKCS11 Tokens.

   3. Click the PKCS11 token name (default is internal).

   4. Check the Token State box.

   5. Enter the password information.

   6. Click Save.

3. If you modified files in the Web Server 7.0 config directory using modutil or certutil, pull the changes into the Web Server 7.0 Admin Server. For example:

   wadm pull-config --user=admin --password-file=path-to-password-file
   --host=server-host --port=8989 --config=config1 node1

4. Confirm that FIPS is enabled by restarting the Web Server 7.0 instance. You should see a new prompt for the certdb password or PIN. For example:

   > Please enter the PIN for the "NSS FIPS 140-2 Certificate DB" token:

Configuring the Web Server 7.0 Transport Layer Security (TLS) to be FIPS 140 Compliant

To Configure the Web Server 7.0 TLS to be FIPS 140 Compliant

1. Log in to the Web Server 7.0 Administration Console.

2. Click Configuration.

3. Click the server instance you want to configure.

4. Click the HTTP Listeners tab and then click the listener instance you want to configure.

5. Select the SSL tab in new popup window.

6. Disable SSL2 and SSL3, leaving only TLS.

7. Disable all non-FIPS Compliant TLS Cipher suite by removing them from the Selected list.

   See the following list for the FIPS compliant TLS cipher suites.

8. Save your changes.

FIPS Compliant TLS Cipher Suites

• TLS_DHE_DSS_WITH_AES_128_CBC_SHA

• TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

• TLS_DHE_DSS_WITH_AES_256_CBC_SHA

• TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

• TLS_DHE_RSA_WITH_AES_128_CBC_SHA

• TLS_DHE_RSA_WITH_AES_256_CBC_SHA

• TLS_RSA_WITH_3DES_EDE_CBC_SHA

• TLS_RSA_WITH_AES_128_CBC_SHA

• TLS_RSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

• TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

• TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

• TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

• TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

• TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

• TLS_ECDH_RSA_WITH_AES_256_CBC_SHA