Documentation, FIPS 140-3: Support FIPS 140-3 in Liberty with IBM JDK 8 #7816
Description
Feature epic details
- For the title of this issue, type: Documentation, Development epic name
- Link to development epic: FIPS 140-3: Support FIPS 140-3 in Liberty with IBM JDK 8 open-liberty#30753
- Target GA release: 25.0.0.3
Operating systems
Does the documentation apply to all operating systems?
- Yes
- No; specify operating systems:
AIX on 64-bit IBM POWER hardware
Linux (Big Endian and Little Endian) on 64-bit IBM POWER hardware
Linux on x86-64 hardware
Windows on x86-64 hardware
NOTE: these are the only supported operating systems.
Summary
Provide a concise summary of your feature. What is the update, why does it matter, and to whom? What do 80% of target users need to know to be most easily productive using your runtime update?
- We are releasing a IBM JDK 8 FIPS 140-3 update to openLiberty.
- FIPS 140-3 does not rely on any operating system level functionality, the entire standard can be enabled on the JVM level (unlike the FIPS 140-2 which required RHEL and manual steps for creating key stores, etc).
Configuration
List any new or changed properties, parameters, elements, attributes, etc. Include default values and configuration examples where relevant:
- To enable FIPS 140-3 you must use IBM SDK for Java 8.0.8.30 or later. To enable the feature you must create a jvm.options file in WLP_ROOT directory with the following properties:
-Dcom.ibm.jsse2.usefipsprovider=true
-Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
-Xenablefips140-3
- Semeru Java 11, 17 and 21 support will come in a future release.
Updates to existing topics
https://openliberty.io/docs/latest/enable-fips.html needs to be updated. Much of it is not necessary as the feature does not need RHEL or OS level support. The entire FIPS runtime only depends on the JVM.
I think a new topic instead of editing the old one is needed because the setup, configuration and changes are quite different.
Create a new topic
-
Liberty runtime security updates
- Security Sockets Layer (TLS):
- Set protocols supported to just TLSv1.2 and TLSv1.3 (instead of TLSv1.1, v1.2, v1.3)
- AES password encryption:
- PBKDF2WithHmacSHA512 – (instead of PBKDF2WithHmacSHA1)
- Hash password:
- PBKDF2WithHmacSHA512 (instead of PBKDF2WithHmacSHA1)
- Security Sockets Layer (TLS):
-
To be compliant with FIPS 140-3, LTPA has been updated to use SHA512withRSA (instead of SHA1withRSA) RSA Key Size : 2048 (instead of 1024). Token encryption Cipher AES-256 (instead of 128). Key Encryptor (used to encrypt keys in the ltpa.keys file):
- Cipher: AES/CBC/PKCS5Padding (instead of DESede/ECB/PKCS5Padding)
- Message Digest: SHA-256 (instead of SHA1)
- Key size: 256 (instead of 128)
- All servers that use LTPA must have FIPS enabled or disabled, no intermixing. IE a FIPS server with LTPA enabled will not be able to read tokens from a server with LTPA disabled and vice versa.
-
To be compliant with FIPS 140-3 Audit logs have been updated:
- Encryption:
- Cipher - AES/CBC/PKCS5Padding (instead of DESede/ECB/PKCS5Padding)
- Secret key size: 256 (instead of 128)
- Signing:
- SHA512withRSA (instead of SHA256withRSA)
- Key Encryptor:
- Cipher: AES/CBC/PKCS5Padding (instead of DESede/ECB/PKCS5Padding)
- Message Digest: SHA-256 (instead of SHA1)
- Key size: 256 (instead of 128) – not completed yet
- Encryption:
-
Utilities such as securityUtility and auditReader must have fips enabled as well in order for them to execute on LTPA servers. This is done by exporting environment variable
export IBM_JAVA_OPTIONS="-Dcom.ibm.ws.beta.edition=true -Xenablefips140-3"before executing the tools.