Enabling FIPS 140-2 on WebSphere Liberty Profile

Use this procedure to enable FIPS 140-2 on WebSphere Liberty Profile.

Before you begin

Run the configuration wizard and start the services before you start this task.

Procedure

  1. To enable FIPS 140-2:
    1. Locate the installation directory of Liberty at <install-dir>\AppScan Enterprise\Liberty\usr\servers\ase.
    2. Add the -Dorg.bouncycastle.fips.approved_only=true property to the jvm.options file to enable the BouncyCastle provider to run in FIPS 140-2 mode.
    3. Go to <install-dir>\AppScan Enterprise\Liberty\jre\conf\security directory.
    4. In a text editor, edit the java.security master security properties file to register additional cryptographic package providers.
  2. Locate the list of cryptographic providers after the line:

    # List of providers and their preference orders

    Replace the current list of providers with the updated one below:

    Current list:

    security.provider.1=SUN
    security.provider.2=SunRsaSign
    security.provider.3=SunEC
    security.provider.4=SunJSSE
    security.provider.5=SunJCE
    security.provider.6=SunJGSS
    security.provider.7=SunSASL
    security.provider.8=XMLDSig
    security.provider.9=SunPCSC
    security.provider.10=JdkLDAP
    security.provider.11=JdkSASL
    security.provider.12=SunMSCAPI
    security.provider.13=SunPKCS11

    Replace with this updated list:

    security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    security.provider.2=SUN
    security.provider.3=SunRsaSign
    security.provider.4=SunEC
    security.provider.5=SunJSSE
    security.provider.6=SunJCE
    security.provider.7=SunJGSS
    security.provider.8=SunSASL
    security.provider.9=XMLDSig
    security.provider.10=SunPCSC
    security.provider.11=JdkLDAP
    security.provider.12=JdkSASL
    security.provider.13=SunMSCAPI
    security.provider.14=SunPKCS11

  3. Save and close the file, and then rerun the configuration wizard.