This chapter includes the following sections:
The Federal Information Processing Standards (FIPS) 140-2 is a standard that describes U.S. Federal government requirements for sensitive but unclassified use.
WebLogic Server supports the use of the RSA FIPS-compliant (FIPS 140-2) crypto module. (See Supported FIPS Standards and Cipher Suites for supported versions.)
When used in combination with the RSA JSSE and RSA JCE providers, this crypto module provides a FIPS-compliant (FIPS 140-2) implementation.
Note:
In addition to using the RSA JSSE and RSA JCE providers in FIPS mode as described in this section, you can also use them in non-FIPS mode. For example, you might want to use a particular encryption algorithm that is unique to the RSA JSSE provider.
For more information see:
See FIPS-140 Support in Oracle Fusion Middleware in Administering Oracle Fusion Middleware Oracle Fusion Middleware for detailed information about Oracle Fusion Middleware support for FIPS.
To enable FIPS 140-2 mode from Java options, follow these steps:
To enable FIPS 140-2 mode from the installed JDK java.security
file, follow these steps:
During normal WebLogic startup, for performance reasons the RSA Crypto-J JCE Self-Integrity test is disabled.
If you want to make sure that JCE verification is enabled when configuring WLS for FIPS 140-2 mode, set the -Dweblogic.security.allowCryptoJDefaultJCEVerification=true
JAVA_OPTIONS
environment variable when you start WebLogic Server.
Note that setting this environment variable adds additional processing and time to the startup.
For FIPS 140-2 mode, all certificates must have a key size of 2048 bits in length.
Please keep the following additional considerations in mind when using web services in FIPS 140-2 mode:
SHA-1 Secure Hash Algorithm is not supported in FIPS 140-2 mode. Therefore the following WS-SP <sp:AlgorithmSuite>
values are not supported in FIPS 140-2 mode:
Basic256
Basic192
Basic128
TripleDes
Basic256Rsa15
Basic192Rsa15
Basic128Rsa15
TripleDesRsa15
As described in Using the SHA-256 Secure Hash Algorithm in Securing WebLogic Web Services for Oracle WebLogic Server, the WebLogic Server web service security policies support both the SHA-1 and much stronger SHA-2 (SHA-256) secure hash algorithms for hashing digital signatures. Specifically, Using the SHA-256 Policies describes which policies use the SHA-1 secure hash algorithm and their SHA-2 equivalents.
FIPS 140-2 mode requires an Extended Algorithm Suite when digital signatures are used. For more information, see Using the Extended Algorithm Suite (EAS) in Securing WebLogic Web Services for Oracle WebLogic Server.
If you enable FIPS 140-2 mode, change the <sp:AlgorithmSuite>
element in the Security policy to one of the following supported <sp:AlgorithmSuite>
values as described in Using the SHA-256 Secure Hash Algorithm:
Basic256Sha256
Basic192Sha256
Basic128Sha256
Basic256Exn256
Basic192Exn256
Basic128Exn256
TripleDesSha256
TripleDesExn256
Basic256Sha256Rsa15
Basic192Sha256Rsa15
Basic128Sha256Rsa15
Basic256Exn256Rsa15
Basic192Exn256Rsa15
Basic128Exn256Rsa15
TripleDesSha256Rsa15
TripleDesExn256Rsa15
For example, to edit an existing Basic256 Algorithm Suite to an EAS Algorithm Suite, then change the policy from
<sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite>
to
<sp:AlgorithmSuite> <wsp:Policy> <orasp:Basic256Exn256 xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"/> </wsp:Policy> </sp:AlgorithmSuite>
The X509PKIPathv1 token is not supported for FIPS 140-2 mode in this release of WebLogic Server. If you use the X509PKIPathv1 token in a custom policy, change the policy to use the PKCS7 token instead.
Specifically, the following two policy assertions are not supported in FIPS 140-2 mode in this release of WebLogic Server:
<sp:WssX509PkiPathV1Token10/>
<sp:WssX509PkiPathV1Token11/>
If you use these two policy assertions, change them to the following two assertions instead:
<sp:WssX509Pkcs7Token10/>
<sp:WssX509Pkcs7Token11/>
For example, if the policy has the following assertion in the custom policy:
<wsp:Policy> <sp:X509Token sp:IncludeToken=". . ."> <wsp:Policy> <sp:WssX509PkiPathV1Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy>
replace it with the following policy assertion:
<wsp:Policy> <sp:X509Token sp:IncludeToken=". . ."> <wsp:Policy> <sp:WssX509Pkcs7Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy>
Or, if the policy has the following assertion in the custom policy:
<wsp:Policy> <sp:X509Token sp:IncludeToken=". . ."> <wsp:Policy> <sp:RequireThumbprintReference/> <sp:WssX509PkiPathV1Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy>
replace it with the following assertion:
<wsp:Policy> <sp:X509Token sp:IncludeToken=". . ."> <wsp:Policy> <sp:RequireThumbprintReference/> <sp:WssX509Pkcs7Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy>