Rule ID
SV-283668r1193262_rule
Version
V2R4
Encryption is only as good as the encryption modules in use. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised due to weak algorithms. The use of TLS provides confidentiality of data in transit between the application server and client. FIPS 140-3-approved TLS versions include TLS V1.0 or greater. TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.
Note: If FIPS 140-2 is configured in IBMW-LS-000520, this is not applicable. This is allowed until 21 September 2026. If FIPS 140-2 is still in use after this date, this is a finding.
There are two ways to meet this requirement using FIPS 140-3. Only one method is required.
If IBM JDK 8 version 8.0.8.30 or later is installed and configured to run with WebSphere Liberty version 25.0.0.3 or later, proceed with method (I).
If IBM Semeru Runtimes version 11.0.29, 17.0.17, 21.0.9, 25.0.1 or higher is installed and configured with WebSphere Liberty version 25.0.0.12 or later, proceed with method (II).
Method (I) IBM JDK 8 (version 8.0.8.30 or later) with WebSphere Liberty (version 25.0.0.3 or later):
1. Review the ${server.config.dir}/jvm.options file. Verify FIPS 140-3 is in use by checking the following lines:
-Xenablefips140-3
-Dcom.ibm.jsse2.usefipsprovider=true
-Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
If the properties are not set as shown in the ${server.config.dir}/jvm.options file, this is a finding.
2. Verify TLS protocol is set to TLS 1.2 or TLS 1.3 in the ${server.config.dir}/server.xml file.
<ssl id="defaultSSLConfig" sslProtocol="TLSv1.2" />
or
<ssl id="defaultSSLConfig" sslProtocol="TLSv1.3" />
If TLS 1.2 or TLS 1.3 is not configured, this is a finding.
3. Verify LTPA keys are FIPS 140-3 compliant. Verify the ltpa.keys file was generated after FIPS 140-3 was enabled or verify LTPA keys were created using the securityUtility createLTPAKeys command with FIPS 140-3 enabled.
Default location: ${server.output.dir}/resources/security/ltpa.keys
If LTPA keys were created before FIPS 140-3 was enabled and have not been regenerated, this is a finding.
Method (II) IBM Semeru Runtimes with WebSphere Liberty (FIPS 140-3):
1. Verify FIPS 140-3 is configured by checking for the existence of the FIPS 140-3 profile file in one of the following locations:
- Installation level: <Liberty install location>/wlp/etc/FIPS140-3-Liberty-Application.properties
- Server level: <server root>/resources/security/FIPS140-3-Liberty-Application.properties
- Client level: <client root>/resources/security/FIPS140-3-Liberty-Application.properties
If the FIPS 140-3 profile file does not exist, this is a finding.
2. Review the FIPS 140-3 profile file and verify it contains the appropriate security provider configurations. The file should contain entries similar to:
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty-Application.jce.provider.1 = com.ibm.crypto.plus.
If the profile file does not contain valid provider configurations, this is a finding.
3. Verify TLS protocol is set to TLS 1.2 or TLS 1.3 in the ${server.config.dir}/server.xml file.
<ssl id="defaultSSLConfig" sslProtocol="TLSv1.2" />
or
<ssl id="defaultSSLConfig" sslProtocol="TLSv1.3" />
If TLS 1.2 or TLS 1.3 is not configured, this is a finding.
4. Verify LTPA keys are FIPS 140-3 compliant. Verify the ltpa.keys file was generated after FIPS 140-3 was enabled. If an ltpa.keys.nofips backup file exists, verify new FIPS 140-3 compliant keys were generated.
Default location: ${server.output.dir}/resources/security/ltpa.keys
If LTPA keys were created before FIPS 140-3 was enabled and have not been regenerated, this is a
finding.
5. SAML Configuration (FIPS 140-3 specific): If SAML is used, verify that only FIPS 140-3 approved signature algorithms are configured in the ${server.config.dir}/server.xml file:
Approved algorithms: SHA256, SHA384, SHA512, ECDSAwithSHA256, ECDSAwithSHA384, ECDSAwithSHA512
Example:
<samlWebSso20 id="defaultSP" signatureMethodAlgorithm="SHA256" />
If SHA1 or other nonapproved algorithms are configured, this is a finding.There are two ways to meet this requirement using FIPS 140-3. Only one method is required.
If IBM JDK 8 version 8.0.8.30 or later is installed and configured to run with WebSphere Liberty version 25.0.0.3 or later, proceed with method (I).
If IBM Semeru Runtimes version 11.0.29, 17.0.17, 21.0.9, 25.0.1 or higher is installed and configured with WebSphere Liberty version 25.0.0.12 or later, proceed with method (II).
Method (I) IBM JDK 8 (version 8.0.8.30 or later) with WebSphere Liberty (version 25.0.0.3 or later):
1. If Liberty server is running, stop it.
2. Edit/create the ${server.config.dir}/jvm.options file. Edit/add the following three properties:
-Xenablefips140-3
-Dcom.ibm.jsse2.usefipsprovider=true
-Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
3. If there are existing LTPA keys, delete the ltpa.keys file before restarting the server to generate new FIPS 140-3-compliant keys.
Default location: ${server.output.dir}/resources/security/ltpa.keys
A new ltpa.keys file will be automatically created when the Liberty server restarts with FIPS 140-3-compliant keys.
4. Restart the Liberty server to enable FIPS 140-3.
5. Verify TLS protocol is set to TLS 1.2 or TLS 1.3 in the ${server.config.dir}/server.xml file.
<ssl id="defaultSSLConfig" sslProtocol="TLSv1.2" />
or
<ssl id="defaultSSLConfig" sslProtocol="TLSv1.3" />
Alternative LTPA Key Creation Method:
To manually create LTPA keys with FIPS 140-3 approved algorithms using the securityUtility command:
1. Export the required system properties:
export JVM_ARGS="-Xenablefips140-3 -Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=2. Run the securityUtility createLTPAKeys command:
securityUtility createLTPAKeys --password=mypassword --passwordEncoding=aes
Important: If LTPA validation keys exist, delete these and generate new validation keys after FIPS 140-3 is enabled using the securityUtility createLTPAKeys command as shown above.
Method (II) IBM Semeru Runtimes with WebSphere Liberty (FIPS 140-3):
1. Liberty server is running, stop it.
2. Enable FIPS 140-3 using the securityUtility configureFIPS command. To enable across all servers, clients and tools (Installation level):
securityUtility configureFIPS
To enable for a specific server:
securityUtility configureFIPS --server=<server_name>
To enable for a specific client:
securityUtility configureFIPS --client=<client_name>
This command configures the FIPS enablement requirements and creates a Java security properties file.
3. (Optional) To create a custom profile in a specific location:
securityUtility configureFIPS --customProfileFile=<file_path>
The default profile locations are:
- Installation level: <Liberty install location>/wlp/etc/FIPS140-3-Liberty-Application.properties
- Server level: <server root>/resources/security/FIPS140-3-Liberty-Application.properties
- Client level: <client root>/resources/security/FIPS140-3-Liberty-Application.properties
4. Restart the Liberty server to enable FIPS 140-3.
When the server restarts after FIPS 140-3 is enabled:
- A new ltpa.keys file is automatically created with FIPS-approved algorithms.
- Existing ltpa.keys files are backed up to ltpa.keys.nofips.
5. Verify TLS protocol is set to TLS 1.2 or TLS 1.3 in the ${server.config.dir}/server.xml file.
<ssl id="defaultSSLConfig" sslProtocol="TLSv1.2" />
or
<ssl id="defaultSSLConfig" sslProtocol="TLSv1.3" />
6. SAML Configuration: If SAML is used, configure only FIPS 140-3-approved signature algorithms in the ${server.config.dir}/server.xml file.
Approved algorithms: SHA256, SHA384, SHA512, ECDSAwithSHA256, ECDSAwithSHA384, ECDSAwithSHA512
Example:
<samlWebSso20 id="defaultSP" signatureMethodAlgorithm="SHA256" />
Alternative LTPA Key Creation Method:
To manually create LTPA keys with FIPS 140-3-approved algorithms:
1. Configure FIPS 140-3 at the installation level (as shown in step 2 above).
2. Run the securityUtility createLTPAKeys command:
securityUtility createLTPAKeys --password=mypassword --passwordEncoding=aes
Important: If LTPA validation keys exist, delete these and generate new validation keys after FIPS 140-3 is enabled using the securityUtility createLTPAKeys command.