This chapter describes how to configure Sun OpenSSO Enterprise in Federal Information Processing Standards (FIPS) 140 mode, including:
This chapter described how to enable FIPS mode for Sun Java System Web Server 7.0. To enable FIPS mode for other web containers, refer to the product documentation for the specific web container.
Enable FIPS mode for the NSS database using the Security Module Database Tool (modutil). For example:
modutil -fips true -dbdir path-to-nss-database
where path-to-nss-database represents the path to the NSS database.
For example, by default, for Web Server 7.0, the NSS database is in the config directory of the Web Server 7.0 instance.
For information about using modutil, see http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html.
These procedures use Sun Java System Web Server 7.0 as the OpenSSO Enterprise web container with the NSS Certificate DB (certdb) as the key/certificate store.
If Web Server 7.0 has the Java Security Manager enabled, add the following additional permissions to the Web Server 7.0 server.policy file:
permission java.security.SecurityPermission "insertProvider.Mozilla-JSS"; permission java.security.SecurityPermission "putProviderProperty.Mozilla-JSS"; permission java.security.SecurityPermission "removeProvider.Mozilla-JSS";
Set the password for the internal PKCS11 token using either the Web Server 7.0 Administration Console or CLI command.
For the password requirements in FIPS mode, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf
For example, to set the password using the Web Server 7.0 wadm command:
wadm> set-token-pin --user=admin --password-file=admin.pwd --host=serverhost --port=8989 --config=config1 --token=internal
Or, to set the password using the Web Server 7.0 Administration Console:
If you modified files in the Web Server 7.0 config directory using modutil or certutil, pull the changes into the Web Server 7.0 Admin Server. For example:
wadm pull-config --user=admin --password-file=path-to-password-file --host=server-host --port=8989 --config=config1 node1
Confirm that FIPS is enabled by restarting the Web Server 7.0 instance. You should see a new prompt for the certdb password or PIN. For example:
> Please enter the PIN for the "NSS FIPS 140-2 Certificate DB" token:
Log in to the Web Server 7.0 Administration Console.
Click Configuration.
Click the server instance you want to configure.
Click the HTTP Listeners tab and then click the listener instance you want to configure.
Select the SSL tab in new popup window.
Disable SSL2 and SSL3, leaving only TLS.
Disable all non-FIPS Compliant TLS Cipher suite by removing them from the Selected list.
See the following list for the FIPS compliant TLS cipher suites.
Save your changes.
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
jss4.jar file - The jss4.jar file must be compatible with the NSS version you are using. If necessary, download a compatible jss4.jar file and copy it to the application or web container /lib directory.
Multiple OpenSSO Enterprise 8.0 instances - If you are configuring multiple OpenSSO Enterprise 8.0 instances that are part of a site, first add and configure all instances in the site in non-FIPS mode. Then, after all instances are added and configured for the site, configure the instances in FIPS mode.
Log in to the OpenSSO Administration Console.
Click Configuration, Servers and Sites, and then the Server Name instance.
Click Security.
Click Inheritance Settings.
Uncheck the Encryption class, FIPS Mode, and Secure Random Factory Class properties.
Click Save and then Back to Server Profile.
Change Encryption class to com.iplanet.services.util.JSSEncryption.
Change Secure Random Factory Class to com.iplanet.am.util.JSSSecureRandomFactoryImpl.
Check Yes for FIPS Mode.
Click Save and then the Advanced tab.
Change the com.iplanet.security.SSLSocketFactoryImpl property to com.iplanet.services.ldap.JSSSocketFactory.
Click Add and add following property and value:
Property Name: opensso.protocol.handler.pkgs
Property Value: com.iplanet.services.comm
Click Add and add following property and value:
Property Name: com.iplanet.am.admin.cli.certdb.dir
Property Value: path-to-FIPS-enabled-NSS-database
Click Save.
Restart the OpenSSO Enterprise 8.0 server instance.
OpenSSO Enterprise 8.0 uses the following FIPS compliant algorithms: