9 FIPS 140 Support in Oracle Fusion Middleware

The following topics describe Oracle Fusion Middleware support for FIPS 140:

9.1 About the FIPS Standard

Federal Information Processing Standards (FIPS) are a series of standards established by the US National Institute of Standards for Technology (NIST) for use in evaluating the security of computer systems and networks.

One of the FIPS standards, FIPS 140-2, specifies the security requirements that must be met by a cryptographic module to protect sensitive information. The standard provides four increasing, qualitative levels of security to cover the wide range of potential applications and environments in which cryptographic modules may be employed.


In the remainder of this chapter, the term 'FIPS 140' refers to the FIPS 140-2 standard.

9.2 About FIPS 140 in Oracle Fusion Middleware Release 11g (

Oracle Fusion Middleware Release 11g Release 1 ( supports the use of FIPS 140-enabled cryptographic libraries.

The ability to operate in FIPS 140 mode is not a generic, product suite-wide claim. Instead, it is specific to a defined set of scenarios and transactions supported by relevant Oracle Fusion Middleware 11g ( product components. It applies where validated cryptography is used to support or enforce security-sensitive tasks such as authentication, authorization, confidentiality, integrity, and so on.

The use of cryptographic services for other tasks that are non-security sensitive does not require FIPS 140 compliance. Oracle Fusion Middleware 11g ( supports enabling FIPS 140 mode for security-sensitive scenarios while complying and co-existing with product functionality that does not require operating in that mode.

About FIPS 140-validated Libraries

To support FIPS 140 operation, Oracle Fusion Middleware 11g ( includes FIPS 140-validated RSA libraries from RSA, the Security Division of EMC (RSA). Algorithms not approved under FIPS 140 are disabled within the RSA libraries.

The libraries are based on RSA version 6.2 BSAFE and JCE software and include the following modules:

  • Crypto-J V6.2.0.1

  • SSL-J V6.2

  • Cert-J V6.2

FIPS 140-2 support requires JDK 7. Fusion Middleware uses Oracle JDK 1.7.0_80 or higher.

In addition to the continued support for RSA keys, Oracle Fusion Middleware 11g ( also supports Elliptic Curve Cryptography (ECC). ECC is emerging as an attractive public-key cryptography because it offers equivalent security with smaller key sizes, which results in faster computations, lower power consumption, and memory and bandwidth savings.


These are the FIPS 140-certified library and module versions at the time of publication. The actual versions in effect at your installation could be slightly different from the ones listed here, as the vendor may issue some patches between certification and the time the product actually shipped. Thus the actual version could be a dot release of the certified version.

The version number is for information only; you can do any independent verification of certification and strength of algorithms.

For background about the FIPS 140 standards and algorithms, refer to the FIPS 140-2 documentation at:


Provider and Algorithm Selection

FIPS 140 implementation in Oracle Fusion Middleware occurs in the context of the Java platform's Java Cryptography Architecture (JCA). To accommodate the co-existence of FIPS 140-validated algorithms for security-sensitive tasks as well as algorithms for other tasks, additional cryptographic providers are also configured to provide functionality not supported in FIPS 140-validated RSA libraries, and for certain non-compliant cryptographic functions such as MD5, which are disabled within the FIPS 140-validated RSA libraries.

The basic flow is as follows:

  • An application (for example, an external web client or Oracle HTTP Server) requests a service or connection to a server such as WebLogic Server. The request typically involves a "payload" such as a data packet to be transmitted.

  • JCA evaluates the request to determine whether FIPS 140 compliance is required.

  • The request is routed to JCA's "provider" framework, which contains a set of (FIPS 140-compliant and non-compliant) providers for digital signatures, message digests (hashes), certificates, and certificate validation, encryption, and other cryptographic services.

  • The providers are searched in preference order and the implementation from the first provider that supplies the correct algorithm is returned. For the security-sensitive cases, only FIPS 140 compliant algorithms are used to execute the cryptographic operations.

Figure 9-1 illustrates this flow:

Figure 9-1 Selecting a FIPS 140 Provider

Description of Figure 9-1 follows
Description of ''Figure 9-1 Selecting a FIPS 140 Provider''

  • The first request, on the left, is made in a security-sensitive scenario. JCA uses the SHA-256 provider from the RSA cryptographic library to process the request and deliver the FIPS 140 payload.

  • The second request, on the right, is executed in a non-sensitive scenario. JCA uses the MD5 provider from the non-cryptographic library to process the request with the non-FIPS 140 payload.

Thus, a security-sensitive scenario such as HTTPS/TLS inbound and outbound communication which is intended to be FIPS 140-compliant uses only those cryptographic functions available in the FIPS 140-validated RSA libraries to encrypt and sign HTTPS/TLS network payloads.

9.3 Components with FIPS 140 Support

When you plan to work with FIPS 140 in Oracle Fusion Middleware, be aware of the different components at various layers of the middleware stack where certain features may operate in FIPS 140 mode. If any component in the stack is operating in non-FIPS 140 mode, the transaction may not be FIPS 140-compliant. It is therefore important to ensure that all relevant components are operating in FIPS 140 mode.

Table 9-1 lists the components where you can enable FIPS 140, and contains the following details:

  • The Oracle Fusion Middleware layer where the component resides;

  • the component name

  • the scenario which can be FIPS 140-enabled

  • cross-reference to product documentation for details, including how to enable or disable FIPS 140, other relevant configuration details, and what product functions support the use of FIPS 140-validated cryptography.


Not all features of each listed component are FIPS 140-compliant. Only the specified features support FIPS 140.

Table 9-1 Components with FIPS 140 Support in Oracle Fusion Middleware

Component Layer Component Feature Details

Fusion Middleware Core

Oracle HTTP Server (OHS)

  • TLS Inbound (HTTPS)

  • TLS Outbound from OHS to any web, proxy or application server using OHS SSL proxy (mod_proxy, mod_ossl)

Note: For outbound connections from OHS to WLS, FIPS must be enabled at WebLogic (for inbound connections) to enable FIPS communication between OHS and WLS.

These topics in Administrator's Guide for Oracle HTTP Server:


Oracle WebLogic Server (OWLS)

  • TLS Inbound: HTTPS, T3S, JMX/T3S, JMS

  • TLS Outbound: HTTPS, T3S, JMX/T3S, JMS, JDBC (Oracle RDBMS)

  • Database Connections (through Data Source)

  • JSSE in FIPS mode support using the RSA JSSE Provider

  • Extended algorithm suite for digital signatures in Web Services

"Enabling FIPS Mode" in Securing Oracle WebLogic Server 10.3.6

"FIPS 140-2 Support for Web Services" in Securing WebLogic Web Services for Oracle WebLogic Server


Oracle Platform Security Services (OPSS)

  • Keystore Service

  • Credential Store Service

Note: The password-protected keystore is not supported in FIPS mode. You must use a permission-protected keystore instead.

"FIPS 140 Support in Oracle Platform Security Services" in Securing Applications with Oracle Platform Security Services


Oracle Web Services Manager (OWSM)

  • Message Protection

  • Token Signature

"Supported Algorithm Suites" in Security and Administrator's Guide for Web Services


For detailed information about SSL FIPS 140-2 for OHS, OWLS, OPSS, and OWSM, refer to support Document 2115681.1 on My Oracle Support. You can access My Oracle Support at: https://support.oracle.com/.

9.4 Common Scenarios for an Operational FIPS 140 Environment

Table 9-1 listed the components in Oracle Fusion Middleware with FIPS 140 features. Table 9-2 lists typical protocols for each component scenario:


These are representative scenarios - the table is not intended to provide a comprehensive listing of all possible scenarios.

Table 9-2 FIPS 140 Scenarios

Feature or Connection Communication Protocol Signature Algorithm/Protocol Details

Inbound connection from an external web client or application to Oracle HTTP Server

  • HTTPS (Client Access to OHS)

  • SOAP-TLS (Server to Server Communication)

HTTPS Server (TLS, Mutual Authentication, RSA-2048 with SHA-256 X.509 Certificates, AES-256 Bulk Data Encryption, ECDSA Signing Algorithm, ECDH Key Agreement)

Outbound connection from Oracle HTTP Server to Oracle WebLogic Server

  • HTTPS (OHS to HTTP Servlet in WLS) for end-end SSL with external SSL termination in OHS.

HTTPS Client (TLS, Mutual Authentication, RSA-2048 with SHA-256 X.509 Certificates, AES-256 Bulk Data Encryption, ECDSA Signing Algorithm, ECDH Key Agreement)

Inbound connection from an external web client or application to Oracle WebLogic Server

  • HTTPS (Client Access to HTTP Servlet)

  • SOAP-TLS (Server to Server Communication)

HTTPS Client (TLS, Mutual Authentication, RSA-2048 with SHA-256 X.509 Certificates, AES-256 Bulk Data Encryption)

Outbound connection from Oracle WebLogic Server to an external web, proxy or application server

  • HTTPS (WLS to an external HTTPS server)

  • SOAP-TLS (Server to Server Communication)

HTTPS Client (TLS, Mutual Authentication, RSA-2048 with SHA-256 X.509 Certificates, AES-256 Bulk Data Encryption)

Outbound connection from Oracle WebLogic Server to Oracle Database 11gR2

  • DB-TLS-jdbc (WebLogic to Database Communication)

JDBC (TLS, Mutual Authentication, RSA-2048 with SHA-256 X.509 Certificates, AES-256 Bulk Data Encryption)

XML Message Protection (XML Signing) for SOAP messages using Oracle Web Services Manager

  • SOAP-MsgSec

XML Signature (RSA-SHA256, HMAC-SHA256); Entire Body, Include SwA Attachment

XML Message Protection (XML Encryption) for SOAP messages using Oracle Web Services Manager

  • SOAP-MsgSec

XML Signature (RSA-SHA256, HMAC-SHA256); Entire Body, Include SwA Attachment

Inbound JMS connection to Oracle WebLogic Server

  • JMS traffic is secure in flight


Outbound JMS connection from Oracle WebLogic Server

  • JMS traffic is secure in flight


Secure JNDI lookups from deployed components



Secure administrator access to servers

  • WLST traffic to WLS server is secure in flight


Keystore and Certificate Generation

  • Encryption

  • Key Exchange

RSA 2048, AES 256, SHA-2

Hashing Algorithms, Password-Based Encryption

  • Hashing

  • Encryption



Unless otherwise indicated, all component servers are at Release 11g (

9.5 Troubleshooting FIPS 140 Issues

This section explains how to troubleshoot issues encountered with FIPS 140 configuration. It contains these topics:

9.5.1 FIPS 140 Troubleshooting for Stand-alone WebLogic Server

Take the following steps to troubleshoot FIPS 140 mode for a stand-alone Oracle WebLogic Server:

During WebLogic Server Configuration

  1. Make sure to prepend the server CLASSPATH with jcmFIPS.jar and sslj.jar.

  2. To explicitly verify *AES_256* cipher suites, update the local_policy.jar and US_export_policy.jar in the JAVA_HOME/jre/lib/security directory with the corresponding file with unlimited strength.

  3. Modify JAVA_HOME/jre/lib/security/java.security by putting security.provider.1=com.rsa.jsafe.provider.JsafeJCE and security.provider.2=com.rsa.jsse.JsseProvider on top of the list.

For more information on FIPS mode in Oracle WebLogic Server, see "Enabling FIPS Mode" in Securing Oracle WebLogic Server 10.3.6.

During Data Source Configuration

Make sure that the value of the DataSource property oracle.net.ssl_version is set to 1.0.


oracle.net.ssl_version is an optional Oracle WebLogic Server DataSource configuration property. A value of 1.0 represents connection through TLS v 1.0 Protocol.

9.5.2 FIPS 140 Troubleshooting for Oracle Platform Security Services

This section describes some troubleshooting tips in Oracle Platform Security Services (OPSS).

During WebLogic Domain Creation

You may see the following exceptions in wlsconfig_xxxxx.log during domain creation in FIPS 140 mode:

"CFGFWK-60455: The password
must be at least 8 alphanumeric characters with at least one number or
special character."
"Caused by: java.lang.NoSuchMethodError:

This exception may occur if you are using cryptoJ 5 jars. Make sure you have installed Oracle WebLogic Server with cryptoJ 6 jars to avoid this error.

When Exporting from Domain Keystore

If you are using JKS and JCEKS type keystores in a FIPS 140-enabled domain, and see the following error:

Command FAILED, Reason:
 oracle.security.jps.service.keystore.KeyStoreServiceException: Failed to export the keystore

make sure that you have configured the following providers in the java.security file:


During Key or Certificate Generation

When generating key/certificate with password protection, you may get the following error:

javax.management.MBeanException: javax.management.MBeanException: 
oracle.security.jps.service.keystore.KeyStoreServiceException: Failed to generate CA signed certificate.

make sure that you use permission protection.

9.5.3 FIPS 140 Troubleshooting for Oracle Web Services Manager

This section describes tips for issues originating in Oracle Web Services Manager.

During Message Protection Policy Enforcement

If you see this error during Oracle Web Services Manager message protection policy enforcement:

Caused by: java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: MD5
       at com.rsa.cryptoj.o.cc.b(Unknown Source)
       at com.rsa.cryptoj.o.cc.f(Unknown Source)

make sure that certificates used in message protection enforcement are generated using FIPS 140-compliant algorithms like SHA1WithRSA or SHA256WithRSA.

If you encounter this error for the JKS keystore during message protection policy enforcement:

oracle.fabric.common.PolicyEnforcementException: WSM-00143 : Failure creating Java Keystore instance for type JKS.

make sure that sun.security.provider.Sun is configured in the JDK.