35 Enabling FIPS Mode
FIPS Overview
The Federal Information Processing Standards (FIPS) 140-2 is a standard that describes U.S. Federal government requirements for sensitive but unclassified use. WebLogic Server supports the use of the RSA FIPS-compliant (FIPS 140-2) crypto module.
For supported versions of FIPS, see Supported FIPS Standards and Cipher Suites.
When used in combination with the RSA JSSE and RSA JCE providers, this crypto module provides a FIPS-compliant (FIPS 140-2) implementation.
Note:
In addition to using the RSA JSSE and RSA JCE providers in FIPS mode as described in this section, you can also use them in non-FIPS mode. For example, you might want to use a particular encryption algorithm that is unique to the RSA JSSE provider.
See the following topics:
Enabling FIPS 140-2 Mode From Java Options
You can enable FIPS 140-2 mode using Java security files and specifying Java options on the command line.
To enable FIPS 140-2 mode from Java options, follow these steps:
Enabling FIPS 140-2 Mode From java.security
You can enable FIPS 140-2 mode from the installed JDK java.security
file.
The configuration steps are as follows:
Verifying JCE When FIPS 140-2 Mode is Enabled
To ensure that JCE verification is enabled when configuring WLS for FIPS 140-2 mode, set the -Dweblogic.security.allowCryptoJDefaultJCEVerification=true
JAVA_OPTIONS
environment variable when you start WebLogic Server.
During normal WebLogic startup, for performance reasons the RSA Crypto-J JCE Self-Integrity test is disabled.
Note that setting this environment variable adds additional processing and time to the startup.
Creating FIPS 140-2 Compliant Keystores
In WebLogic Server 12.2.1.3 and earlier, the JKS and PKCS12 keystores created with keytool using the Sun JSSE provider (the default) are not fully FIPS compliant. To ensure that your keystores are FIPS 140-2 compliant, you can convert the keystores that you created with the Sun JSSE provider by using the keytool command and specifying the RSA JCE provider supplied with the WebLogic Server distribution.
Also, some environments, such as Java Cloud Service configured with the Oracle Identity Cloud Integrator provider, use the default JKS keystore with CA certificates, cacerts
. In these environments, you must convert the JKS keystore to a FIPS compliant PKCS12 keystore using the RSA JCE provider.
The following sections provide procedures for completing these steps to ensure your keystores are FIPS compliant:
Converting a Non-FIPS Compliant Keystore Using the RSA JCE Provider
Using the WebLogic Server distribution classpath, you can convert a non-compliant keystore using the keytool –importkeystore
command with the RSA JCE provider as follows:
keytool -importkeystore -srckeystore srckeystore
–srcstoretype srcstoretype
-srcprovidername providername –destkeystore destkeystore
-deststoretype PKCS12 -destprovidername JsafeJCE
-providerclass com.rsa.jsafe.provider.JsafeJCE
-providerpath $CLASSPATH
In this command, provide values for the following parameters:
-srckeystore
– Name of the source keystore-srcstoretype
– Type of source keystore, for examplePKCS12
-srcprovidername
– Name of the source keystore provider. Set toJsafeJCE
ifsrcstoretype
isPKCS12
-
-destkeystore
- Name of the destination keystore -deststoretype
– Type of destination keystore. Set toPKCS12
for the RSA JCE provider-destprovidername
– Name of the destination keystore provider. Set toJsafeJCE
for the RSA JCE provider-providerclass
– Name of the provider class. Set tocom.rsa.jsafe.provider.JsafeJCE
-providerpath
- Classpath for the provider
Converting the Default JKS Keystore for FIPS Compliance
The default JKS keystore with CA certificates, cacerts
, included with the JDK is not FIPS compliant in WebLogic Server 12.2.1.3 and earlier. FIPS 140-2 requires a PKCS12 PBES2 keystore; JKS keystores and PKCS12 keystores created with keytool using the Sun JSSE provider (the default) are not supported. If you are using the default JDK cacerts
keystore, such as in a Java Cloud Service environment using the Oracle Identity Cloud Integrator provider, you need to complete the following steps to ensure FIPS compliance:
-
Convert the JDK
cacerts
keystore from JKS to PKCS12 format -
Convert the PKCS12 keystore using the RSA JCE provider to be FIPS compliant
-
Set Java system properties to update the default trust store used by the Java default SSL Context in your environment so that you can boot and operate WebLogic Server successfully
Important Considerations When Using Web Services
When using web services in FIPS 140-2 mode, there are important considerations to keep in mind.
For example:
-
All certificates must have a key size length of 2048 bits.
SHA-1 Secure Hash Algorithm Not Supported
SHA-1 Secure Hash Algorithm is not supported in FIPS 140-2 mode. Therefore the following WS-SP <sp:AlgorithmSuite>
values are not supported in FIPS 140-2 mode:
-
Basic256
-
Basic192
-
Basic128
-
TripleDes
-
Basic256Rsa15
-
Basic192Rsa15
-
Basic128Rsa15
-
TripleDesRsa15
As described in Using the SHA-256 Secure Hash Algorithm in Securing WebLogic Web Services for Oracle WebLogic Server, the WebLogic Server web service security policies support both the SHA-1 and much stronger SHA-2 (SHA-256) secure hash algorithms for hashing digital signatures. Specifically, Using the SHA-256 Policies describes which policies use the SHA-1 secure hash algorithm and their SHA-2 equivalents.
FIPS 140-2 mode requires an Extended Algorithm Suite when digital signatures are used. See Using the Extended Algorithm Suite (EAS) in Securing WebLogic Web Services for Oracle WebLogic Server.
If you enable FIPS 140-2 mode, change the <sp:AlgorithmSuite>
element in the Security policy to one of the following supported <sp:AlgorithmSuite>
values as described in Using the SHA-256 Secure Hash Algorithm:
-
Basic256Sha256
-
Basic192Sha256
-
Basic128Sha256
-
Basic256Exn256
-
Basic192Exn256
-
Basic128Exn256
-
TripleDesSha256
-
TripleDesExn256
-
Basic256Sha256Rsa15
-
Basic192Sha256Rsa15
-
Basic128Sha256Rsa15
-
Basic256Exn256Rsa15
-
Basic192Exn256Rsa15
-
Basic128Exn256Rsa15
-
TripleDesSha256Rsa15
-
TripleDesExn256Rsa15
For example, to edit an existing Basic256 Algorithm Suite to an EAS Algorithm Suite, then change the policy from
<sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite>
to
<sp:AlgorithmSuite> <wsp:Policy> <orasp:Basic256Exn256 xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"/> </wsp:Policy> </sp:AlgorithmSuite>
X509PKIPathv1 token Not Supported
The X509PKIPathv1 token is not supported for FIPS 140-2 mode in this release of WebLogic Server. If you use the X509PKIPathv1 token in a custom policy, change the policy to use the PKCS7 token instead.
Specifically, the following two policy assertions are not supported in FIPS 140-2 mode in this release of WebLogic Server:
-
<sp:WssX509PkiPathV1Token10/>
-
<sp:WssX509PkiPathV1Token11/>
If you use these two policy assertions, change them to the following two assertions instead:
-
<sp:WssX509Pkcs7Token10/>
-
<sp:WssX509Pkcs7Token11/>
For example, if the policy has the following assertion in the custom policy:
<wsp:Policy> <sp:X509Token sp:IncludeToken=". . ."> <wsp:Policy> <sp:WssX509PkiPathV1Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy>
replace it with the following policy assertion:
<wsp:Policy> <sp:X509Token sp:IncludeToken=". . ."> <wsp:Policy> <sp:WssX509Pkcs7Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy>
Or, if the policy has the following assertion in the custom policy:
<wsp:Policy> <sp:X509Token sp:IncludeToken=". . ."> <wsp:Policy> <sp:RequireThumbprintReference/> <sp:WssX509PkiPathV1Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy>
replace it with the following assertion:
<wsp:Policy> <sp:X509Token sp:IncludeToken=". . ."> <wsp:Policy> <sp:RequireThumbprintReference/> <sp:WssX509Pkcs7Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy>