These procedures use Sun Java System Web Server 7.0 as the OpenSSO Enterprise web container with the NSS Certificate DB (certdb) as the key/certificate store.
If Web Server 7.0 has the Java Security Manager enabled, add the following additional permissions to the Web Server 7.0 server.policy file:
permission java.security.SecurityPermission "insertProvider.Mozilla-JSS"; permission java.security.SecurityPermission "putProviderProperty.Mozilla-JSS"; permission java.security.SecurityPermission "removeProvider.Mozilla-JSS";
Set the password for the internal PKCS11 token using either the Web Server 7.0 Administration Console or CLI command.
For the password requirements in FIPS mode, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf
For example, to set the password using the Web Server 7.0 wadm command:
wadm> set-token-pin --user=admin --password-file=admin.pwd --host=serverhost --port=8989 --config=config1 --token=internal
Or, to set the password using the Web Server 7.0 Administration Console:
If you modified files in the Web Server 7.0 config directory using modutil or certutil, pull the changes into the Web Server 7.0 Admin Server. For example:
wadm pull-config --user=admin --password-file=path-to-password-file --host=server-host --port=8989 --config=config1 node1
Confirm that FIPS is enabled by restarting the Web Server 7.0 instance. You should see a new prompt for the certdb password or PIN. For example:
> Please enter the PIN for the "NSS FIPS 140-2 Certificate DB" token:
Log in to the Web Server 7.0 Administration Console.
Click Configuration.
Click the server instance you want to configure.
Click the HTTP Listeners tab and then click the listener instance you want to configure.
Select the SSL tab in new popup window.
Disable SSL2 and SSL3, leaving only TLS.
Disable all non-FIPS Compliant TLS Cipher suite by removing them from the Selected list.
See the following list for the FIPS compliant TLS cipher suites.
Save your changes.
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA