Configuring FIPS compliance for your network.
About this task
Perform the following configuration steps to prepare the master domain manager and the Dynamic Workload Console for FIPS compliance.
Procedure
-
On both the master domain manager and the
Dynamic Workload Console workstations, perform the
following steps:
-
Configure IBM® JDK with FIPS enabled on the server. Create
a backup and replace JavaExt/jre with
IBM_JDK_PATH>/jre.
-
Configure batch reports for FIPS. Edit the SDK
java.security file in the path
<IBM_JDK_PATH>/jre/lib/security/java.security
to insert the IBMJCEFIPS provider
(com.ibm.crypto.fips.provider.IBMJCEFIPS). IBMJCEFIPS
must precede the IBMJCE provider in the provider list.
- In the security.provider list, modify the
entry containing IBMJCE and add it to the top of the list
as
follows:
#
# List of providers and their preference orders (see above):
#
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=sun.security.provider.Sun
security.provider.11=com.ibm.security.cmskeystore.CMSProvider
- On RedHat Enterprise Linux® server, check the
securerandom.source property in the
java.security file and ensure the value
is specified as
follows:
securerandom.source=file:/dev/./urandom
-
Configure the WebSphere Application Server Liberty Base
jvm.options file, located in
<TWA_DATA_DIR>/usr/servers/engineServer/configDropins/overrides/jvm.options
on the master, and in <DWC_DATA_dir>/usr/servers/dwcServer/configDropins/overrides/jvm.options
on the Dynamic Workload Console,
to enable FIPS as follows:
Dcom.ibm.jsse2.usefipsprovider=true
-
On the master domain manager workstation, perform
the following steps:
-
Comment the following properties in the eif.templ
file located in the path:
<TWA_DATA_DIR>/stdlist/appserver/engineServer/temp/TWS/EIFListener/eif.templ
as follows:
#SSL_ChannelSSLTruststoreAlgorithm=SunX509
#SSL_ChannelSSLKeystoreAlgorithm=SunX509
-
To prepare your environment for FIPS, set the following local options in the
localopts file on every HCL Workload Automation agent in the network:
SSL Fips enabled = yes
nm SSL port = 31113
SSL keystore file = "<TWA_home>/TWS/ssl/GSKit/TWSClientKeyStore.kdb"
SSL certificate keystore label = "client"
SSL keystore pwd = "<TWA_home>/TWS/ssl/GSKit/TWSClientKeyStore.sth"
Set the following local options for the
CLI:
CLI SSL keystore file = "<TWA_home>/TWS/ssl/GSKit/TWSClientKeyStore.kdb"
CLI SSL certificate keystore label = "client"
CLI SSL keystore pwd = "<TWA_home>/TWS/ssl/GSKit/TWSClientKeyStore.sth"
where
<
TWA_home> is the installation directory
of the instance of
HCL Workload Automation where the agent is installed.
Note: On Windows™ workstations, the user,
SYSTEM, must have read-permissions to read the GSKit
FIPS certificates.
For more information about
setting local options and the localopts file,
see Setting local options
-
Restart the server on both the master domain manager and the Dynamic Workload Console workstation.
-
On the dynamic agent workstations, add the following property to the
JVMOptions in the JobManager.ini file:
-Dhttps.protocols=TLSv1.2
The
JobManager.ini is
located in:
- On UNIX™ operating systems
- <TWA_DATA_DIR>/ITA/cpa/config/JobManager.ini
- On Windows™ operating systems
- <TWA_home>\TWS\ITA\cpa\config\JobManager.ini
-
Restart the agent workstation.