This appendix describes FIPS 140-2 support in web services.
Topics include:
The Federal Information Processing Standards (FIPS) 140-2 is a standard that describes U.S. Federal government requirements for sensitive but unclassified use. In this release, FIPS 140-2 support for JSSE and JDK 7 in WebLogic Server requires the installation of a bundled patch. It is not available by default. For more information about this patch for WebLogic Server and other Fusion Middleware components, refer to support Document 2115681.1 on My Oracle Support. You can access My Oracle Support at: https://support.oracle.com/.
For detailed information about Oracle Fusion Middleware support for FIPS, see "FIPS-140 Support in Oracle Fusion Middleware" in Oracle Fusion Middleware Administrator's Guide.
FIPS 140-2 support for JSSE requires JDK 1.7.0_80 or higher and RSA CryptoJ V6.2. For more information, see the following topics in Securing Oracle WebLogic Server:
The WebLogic Server Web service security policies support both the SHA-1 and much stronger SHA-2 (SHA-256) secure hash algorithms for hashing digital signatures. The SHA-1 Secure Hash Algorithm is not supported in FIPS mode. For more information, see Using the SHA-256 Secure Hash Algorithm and "Important Considerations When Using Web Services" in Securing Oracle WebLogic Server.
In addition to the SHA-2 secure hash algorithm, FIPS 140-2 mode requires a stronger digital signature method algorithm which is supported by extended algorithm suite policies.
When using digital signatures, the WebLogic Server web service security policies include a set of policies that support an Extended Algorithm Suite (EAS) as required by the FIPS 140-2 certification. You can attach one of these EAS policies to your web service when FIPS 140-2 certification is required. Alternatively, if one of the policies do not satisfy the requirements of your environment, you can edit the algorithm suite in an existing policy and use that instead.
The standard algorithm suites supported in WebLogic Server web services policies, and the abbreviations used in the algorithm suite tables, are defined in the WS-SecurityPolicy 1.3 specification, which is available at http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/errata01/os/ws-securitypolicy-1.3-errata01-os-complete.html#_Toc325573605.
The extended algorithm suite policies, listed in Table B-1, use a stronger hash algorithm of SHA-256 and stronger signature method algorithm.
Table B-1 Extended Algorithm Suite Policies Supported in FIPS 140 Mode
| Policy File | Description |
|---|---|
|
Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy_eas256.xml |
This policy is similar to Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy.xml (see Table 2-9) but has an extended algorithm suite with a stronger hash algorithm of SHA-256 and stronger signature method algorithm. |
|
Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy_eas256.xml |
This policy is similar to policy Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml (see Table 2-11) but has an extended algorithm suite with a stronger hash algorithm of SHA-256 and stronger signature method algorithm. |
|
Wssp1.2-wss11_saml20_token_with_message_protection_owsm_policy_eas256.xml |
This policy is similar to policy Wssp1.2-wss11_saml20_token_with_message_protection_owsm_policy.xml (see Table A-3) but has an extended algorithm suite with a stronger hash algorithm of SHA-256 and stronger signature method algorithm. |
|
Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy_eas256.xml |
This policy is similar to Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy.xml (see Table A-3) but has an extended algorithm suite with a stronger hash algorithm of SHA-256 and stronger signature method algorithm. |
|
Wssp1.2-wss10_username_token_with_message_protection_owsm_policy_eas256.xml |
This policy is similar to but Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml (see Table A-3) but has an extended algorithm suite with a stronger hash algorithm of SHA-256 and stronger signature method algorithm. |
|
Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy_eas256.xml |
This policy is similar to policy Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml (see Table A-3) but has an extended algorithm suite with a stronger hash algorithm of SHA-256 and stronger signature method algorithm. |
|
Wssp1.2-2007-Wssc1.4-Bootstrap-Wss1.0-UsernameToken-Plain-X509-Eas256.xml |
This policy is similar to policy Wssp1.2-2007-Wssc1.4-Bootstrap-Wss1.0-UsernameToken-Plain-X509-Basic256.xml (see Table 2-10) but has an extended algorithm suite with a stronger hash algorithm of SHA-256 and stronger signature method algorithm. |
|
Wssp1.2-2007-Saml1.1-SenderVouches-Wss1.1-Eas256.xml |
This policy is similar to policy Wssp1.2-2007-Saml1.1-SenderVouches-Wss1.1.xml (see Table 2-11) but has an extended algorithm suite with a stronger hash algorithm of SHA-256 and stronger signature method algorithm. |
|
Wssp1.2-2007-Wss1.1-X509-Eas256.xml |
This policy is similar to policy Wssp1.2-2007-Wss1.1-X509-Basic256.xml (see Table 2-9) but has an extended algorithm suite with a stronger hash algorithm of SHA-256 and stronger signature method algorithm. |
|
Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1-Eas256.xml |
This policy is similar to policy Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml (see Table 2-11) but has an extended algorithm suite with a stronger hash algorithm of SHA-256 and stronger signature method algorithm. |
Table B-2 lists the symmetric signature (Sym Sig) and asymmetric signature (Asym Sig) values, and the associated algorithm URIs, for the extended algorithm suite policies.
Table B-2 Extended Algorithm Suite Signature Values
| Property Algorithm | Value/Abbreviation | Algorithm URI |
|---|---|---|
|
Sym Sig |
HmacSha256 |
|
|
Asym Sig |
RsaSha256 |
The XML signatures for RSA-SHA256 and HMAC-SHA256 are defined in the w3c XML Security Algorithm Cross-Reference specification, which is available at http://www.w3.org/TR/xmlsec-algorithms/.
Table B-3 lists the algorithm suites for the extended algorithm suite policies.
Table B-3 Algorithm Suites for Extended Algorithm Suite Policies
| Algorithm Suite | Digest | Encryption | Symmetric Key Wrap | Asymmetric Key Wrap | Encrypted Key Derivation | Symmetric Signature | Asymmetric Signature | Signature Key Derivation | Minimum Signature Key Length |
|---|---|---|---|---|---|---|---|---|---|
|
Basic256Exn256 |
Sha256 |
Aes256 |
KwAes256 |
KwRsaOaep |
PSha1L256 |
HmacSha256 |
RsaSha256 |
PSha1L192 |
256 |
|
Basic192Exn256 |
Sha256 |
Aes192 |
KwAes192 |
KwRsaOaep |
PSha1L192 |
HmacSha256 |
RsaSha256 |
PSha1L192 |
192 |
|
Basic128Exn256 |
Sha256 |
Aes128 |
KwAes128 |
KwRsaOaep |
PSha1L128 |
HmacSha256 |
RsaSha256 |
PSha1L128 |
128 |
|
TripleDesExn256 |
Sha256 |
TripleDes |
KwTripleDes |
KwRsaOaep |
PSha1L192 |
HmacSha256 |
RsaSha256 |
PSha1L192 |
192 |
|
Basic256Exn256Rsa15 |
Sha256 |
Aes256 |
KwAes256 |
KwRsa15 |
PSha1L256 |
HmacSha256 |
RsaSha256 |
PSha1L192 |
256 |
|
Basic192Exn256Rsa15 |
Sha256 |
Aes192 |
KwAes192 |
KwRsa15 |
PSha1L192 |
HmacSha256 |
RsaSha256 |
PSha1L192 |
192 |
|
Basic128Exn256Rsa15 |
Sha256 |
Aes128 |
KwAes128 |
KwRsa15 |
PSha1L128 |
HmacSha256 |
RsaSha256 |
PSha1L128 |
128 |
|
TripleDesExn256Rsa15 |
Sha256 |
TripleDes |
KwTripleDes |
KwRsa15 |
PSha1L192 |
HmacSha256 |
RsaSha256 |
PSha1L192 |
192 |
The predefined web service security policies select which specific algorithm they use in the <sp:AlgorithmSuite> element.
Note:
The extended algorithm suite policies can also be used in non-FIPS mode for increased security. However, since they use their own namespace for the algorithm suite, there may be interoperability issues with other platforms if the target platform does not support the extended algorithm suite assertion. Consider the following before using the extended algorithm suite policies:If you have web services that require FIPS 140-2 certification, then use the EAS policies.
If you have new web services that do not need to interoperate with other platforms but you want increased security, you can use the EAS policies.
For all other web services, you need to assess the security risk, interoperability, and backward compatibility before converting any policy to an EAS policy.
You can either use the EAS policies as is or identify an existing policy without the extended algorithm suite and modify the algorithm suite as follows:
Use an existing policy to create a custom policy. See Creating and Using a Custom Policy File.
The policy files are located in ORACLE_HOME/oracle_common/modules/com.oracle.webservices.wls.wls-soap-stack-impl.jar. Within com.oracle.webservices.wls.wls-soap-stack-impl.jar, the policy files are located in /weblogic/wsee/policy/runtime.
Edit the custom policy to change the algorithm suite to support FIPS 140-2. To do this, change the algorithm suite inside the policy from:
<sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256Sha256/> </wsp:Policy> </sp:AlgorithmSuite>
To:
<sp:AlgorithmSuite> <wsp:Policy> <orasp:Basic256Exn256 xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"/> </wsp:Policy> </sp:AlgorithmSuite>
Use the custom policy in your web service.
Edit the client-side policy to match. The client and web service must use the same hashing algorithm; <AlgorithmSuite> must be the same on both sides. Otherwise, the web service rejects the request message sent from the client.