Configuring the IBM JRE to use FIPS 140-2 approved providers

Describes how to configure the IBM® JRE to use IBM Java™ FIPS 140-2 approved providers

Before you begin

To be FIPS 140-2 approved, all computers running the Rational® ClearQuest® Client must be configured to use the IBM JRE with the IBM Java JCE (Java Cryptographic Extension) FIPS providers enabled. This ensures that the clients use the FIPS 140-2 certified algorithms AES 128-bit and SHA-256.

About this task

Perform the following steps to configure the computers running the Rational ClearQuest Client to use the IBM JRE with the IBM Java JCE FIPS providers enabled.

Procedure

  1. Edit the master security properties file, java.security, to register additional cryptographic package providers:
    On Windows™:
    drive:\install-dir\Program Files\Rational\Common\java\jre\lib\security\java.security
    On the UNIX™ system and Linux™:
    install-dir/Rational/ClearQuest/common/java/jre/lib/security/java.security
  2. Locate the list-of-providers section near the top of the file. This section will look similar to the following example:
    #
    # List of providers and their preference orders:
    #
    security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.4=com.ibm.security.cert.IBMCertPath
    security.provider.5=com.ibm.security.sasl.IBMSASL
  3. Add the following providers to the top of the list and sequentially renumber the other providers:
    security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
    security.provider.2=com.ibm.fips.crypto.fips.provider.IBMJCEFIPS

    The updated list of security providers will look similar to the following example:

    #
    # List of providers and their preference orders:
    #
    security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
    security.provider.2=com.ibm.fips.crypto.fips.provider.IBMJCEFIPS
    security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.security.sasl.IBMSASL