This appendix describes how to enable FIPS 140-2 mode for JSSE and JDK 7.0 in WebLogic Server.
Topics include:
The Federal Information Processing Standards (FIPS) 140-2 is a standard that describes U.S. Federal government requirements for sensitive but unclassified use.
Notes:
In this release, FIPS 140-2 support for JSSE and JDK 7 in WebLogic Server requires the installation of a bundled patch. It is not available by default. For more information about this patch for WebLogic Server and other Fusion Middleware components, refer to support Document 2115681.1 on My Oracle Support. You can access My Oracle Support at: https://support.oracle.com/
.
FIPS 140-2 support for JSSE requires JDK 1.7.0_80 or higher.
To enable JSSE support in WebLogic Server, see Using the JSSE-Based SSL Implementation.
WebLogic Server supports the use of the RSA FIPS-compliant (FIPS 140-2) crypto module. (See Supported FIPS Standards and Cipher Suites for supported versions.)
When used in combination with the RSA JSSE and RSA JCE providers, this crypto module provides a FIPS-compliant (FIPS 140-2) implementation.
For detailed information about Oracle Fusion Middleware support for FIPS, see "FIPS-140 Support in Oracle Fusion Middleware" in Administering Oracle Fusion Middleware.
Table A-1 lists the supported FIPS versions and cipher suites.
Table A-1 Cipher Suites and FIPS 140-2 Supported Versions
Standard | Version | Additional Considerations |
---|---|---|
FIPS 140-2 |
RSA Crypto-J V6.2.0.1 RSA SSL-J V6.2 RSA Cert-J V6.2 |
|
Cipher Suites for JSSE JDK 7 |
The preferred negotiated cipher combination is AES + SHA2. |
The set of cipher suites supported by the JDK 7 SunJSSE is listed here: |
Cipher Suites for RSA JSSE |
Product Dependent |
|
Cipher suites supported in the (deprecated) WebLogic Server Certicom SSL implementation and the SunJSSE equivalent. |
Product Dependent |
See Cipher Suite Name Equivalents. When using Certicom, WebLogic Server does not support SHA256 hashing, or signature algorithms that include SHA256. |
To enable FIPS 140-2 mode from Java options, follow these steps:
Using the following URL, download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files that correspond to the version of your JDK. These Java policy JAR files affect cipher key sizes greater than 128 bits.
http://www.oracle.com/technetwork/java/javase/downloads/index.html
Open the .ZIP distribution and update local_policy.jar
and US_export_policy.jar
in JAVA_HOME/jre/lib/security
. See the README.txt file in the .ZIP distribution for more information and installation instructions.
Create your own java.security
file. You can use the one that comes with the installed JDK as a guide.
Add both the RSA JCE provider and the RSA JSSE provider as the first two Java security providers listed in your java.security
properties file:
# security.provider.1=com.rsa.jsafe.provider.JsafeJCE security.provider.2=com.rsa.jsse.JsseProvider security.provider.3=sun.security.provider.Sun :
Set -Djava.security.properties
on the WebLogic Server start command line to override the default configuration in the java.security
file. Specify a full file path to your custom java.security
file:
set JAVA_OPTIONS=-Djava.security.properties=C:\Users\user\java.security
Note:
Use a single equal sign (=) to specify a filename if you want the java.security properties to be appended to the installed JRE security properties. Use two equal signs (==) if you want to override all the Java security properties, for instance,-Djava.security.properties==C:\Users\user\java.security
.Put the jcmFIPS.jar
jar and sslj.jar
JAR files (both are in WL_HOME
/server/lib/
) at the head of the classpath. You can use the PRE_CLASSPATH
environment variable to do this.
(The RSA JCE provider Crypto-J is located in cryptoj.jar
and is in the classpath by default.)
For example, you could set jcmFIPS.jar
and sslj.jar
in the PRE_CLASSPATH
variable before you call the server start script, typically startWebLogic.cmd/sh
:
set PRE_CLASSPATH=%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar cd %MW_HOME%\user_projects\domains\base_domain startWebLogic.cmd
Start WebLogic Server.
To enable FIPS 140-2 mode from the installed JDK java.security
file, follow these steps:
Using the following URL, download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files that correspond to the version of your JDK. These Java policy JAR files affect cipher key sizes greater than 128 bits.
See the README.txt file in the .ZIP distribution for installation instructions.
http://www.oracle.com/technetwork/java/javase/downloads/index.html
Open the .ZIP distribution and update local_policy.jar
and US_export_policy.jar
in JAVA_HOME/jre/lib/security
. See the README.txt file in the .ZIP distribution for more information and installation instructions.
Edit the java.security
file. Add both the RSA JCE provider and the RSA JSSE provider as the first two Java security providers listed in the java.security
properties file:
# security.provider.1=com.rsa.jsafe.provider.JsafeJCE security.provider.2=com.rsa.jsse.JsseProvider security.provider.3=sun.security.provider.Sun :
Put the jcmFIPS.jar
jar and sslj.jar
JAR files (both are in WL_HOME
/server/lib/
) at the head of the classpath. You can use the PRE_CLASSPATH
environment variable to do this.
(The RSA JCE provider Crypto-J is located in cryptoj.jar
and is in the classpath by default.)
For example, you could set jcmFIPS.jar
and sslj.jar
in the PRE_CLASSPATH
variable before you call the server start script, typically startWebLogic.cmd/sh
:
set PRE_CLASSPATH=%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar cd %MW_HOME%\user_projects\domains\base_domain startWebLogic.cmd
Or, you could add jcmFIPS.jar
and sslj.jar
to the PRE_CLASSPATH
variable in the server start script itself.
Start WebLogic Server.
During normal WebLogic startup, for performance reasons the RSA Crypto-J JCE Self-Integrity test is disabled.
If you want to make sure that JCE verification is enabled when configuring WLS for FIPS 140-2 mode, set the -Dweblogic.security.allowCryptoJDefaultJCEVerification=true
JAVA_OPTIONS
environment variable when you start WebLogic Server.
Note that setting this environment variable adds additional processing and time to the startup.
For FIPS 140-2 mode, all certificates must have a key size of 2048 bits in length.
Note:
Do not use the demonstration certificates included with your installation in FIPS mode because they are not secure. They are provided for development use only.Please keep the following additional considerations in mind when using web services in FIPS 140-2 mode:
SHA-1 Secure Hash Algorithm is not supported in FIPS 140-2 mode. Therefore the following WS-SP <sp:AlgorithmSuite>
values are not supported in FIPS 140-2 mode:
Basic256
Basic192
Basic128
TripleDes
Basic256Rsa15
Basic192Rsa15
Basic128Rsa15
TripleDesRsa15
As described in "Using the SHA-256 Secure Hash Algorithm" in Securing WebLogic Web Services for Oracle WebLogic Server, the WebLogic Server web service security policies support both the SHA-1 and much stronger SHA-2 (SHA-256) secure hash algorithms for hashing digital signatures. Specifically, ”Using the SHA-256 Policies” describes which policies use the SHA-1 secure hash algorithm and their SHA-2 equivalents.
In addition to the SHA-2 secure hash algorithm, FIPS 140-2 mode requires a stronger digital signature method algorithm which is supported by extended algorithm suite policies. For more information, see ”Using the Extended Algorithm Suite” in Securing WebLogic Web Services for Oracle WebLogic Server.
If you enable FIPS 140-2 mode, change the <sp:AlgorithmSuite>
element in the security policy to one of the following supported <sp:AlgorithmSuite>
values as described in "Using the SHA-256 Secure Hash Algorithm":
Basic256Sha256
Basic192Sha256
Basic128Sha256
Basic256Exn256
Basic192Exn256
Basic128Exn256
TripleDesSha256
TripleDesExn256
Basic256Sha256Rsa15
Basic192Sha256Rsa15
Basic128Sha256Rsa15
Basic256Exn256Rsa15
Basic192Exn256Rsa15
Basic128Exn256Rsa15
TripleDesSha256Rsa15
TripleDesExn256Rsa15
For example, if a Basic256 algorithm suite is used in the policy and you require the extended algorithm suite, edit an existing policy and change the algorithm suite from:
<sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite>
to
<sp:AlgorithmSuite> <wsp:Policy> <orasp:Basic256Exn256xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"/> </wsp:Policy> </sp:AlgorithmSuite>
The X509PKIPathv1 token is not supported for FIPS 140-2 mode in this release of WebLogic Server. If you use the X509PKIPathv1 token in a custom policy, change the policy to use the PKCS7 token instead.
Specifically, the following two policy assertions are not supported in FIPS 140-2 mode in this release of WebLogic Server:
<sp:WssX509PkiPathV1Token10/>
<sp:WssX509PkiPathV1Token11/>
If you use these two policy assertions, change them to the following two assertions instead:
<sp:WssX509Pkcs7Token10/>
<sp:WssX509Pkcs7Token11/>
For example, if the policy has the following assertion in the custom policy:
<wsp:Policy> <sp:X509Token sp:IncludeToken=". . ."> <wsp:Policy> <sp:WssX509PkiPathV1Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy>
replace it with the following policy assertion:
<wsp:Policy> <sp:X509Token sp:IncludeToken=". . ."> <wsp:Policy> <sp:WssX509Pkcs7Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy>
Or, if the policy has the following assertion in the custom policy:
<wsp:Policy> <sp:X509Token sp:IncludeToken=". . ."> <wsp:Policy> <sp:RequireThumbprintReference/> <sp:WssX509PkiPathV1Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy>
replace it with the following assertion:
<wsp:Policy> <sp:X509Token sp:IncludeToken=". . ."> <wsp:Policy> <sp:RequireThumbprintReference/> <sp:WssX509Pkcs7Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy>