DISA STIGS Viewer

The WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.

Overview

Finding ID Version Rule ID IA Controls Severity
V-250339 IBMW-LS-000520 SV-250339r1067571_rule   High
Description
Application servers must use and meet requirements of the DOD Enterprise PKI infrastructure for application authentication. Encryption is only as good as the encryption modules used. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised due to weak algorithms. The use of TLS provides confidentiality of data in transit between the application server and client. TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. Satisfies: SRG-APP-000179-AS-000129, SRG-APP-000224-AS-000152, SRG-APP-000416-AS-000140, SRG-APP-000439-AS-000155, SRG-APP-000442-AS-000259, SRG-APP-000514-AS-000136
STIG Date
IBM WebSphere Liberty Server Security Technical Implementation Guide 2025-02-11

Details

Check Text (C-53774r1067569_chk)
There are two ways to meet this requirement. Only one method is required.

If IBM JDK 8 is installed and configured to run with WebSphere Liberty, proceed with method (I).

If IBM Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty, proceed with method (II). Currently IBM Semeru supports FIPS on RedHat Enterprise Linux.

Method (I) IBM JDK 8 is configured to run with WebSphere Liberty:

1. Review the ${server.config.dir}/jvm.options file. Verify FIPS is in use by checking the following lines:

Dcom.ibm.jsse2.usefipsprovider=true
Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS

If the properties are not set as shown in the ${server.config.dir}/jvm.options file, this is a finding.

2. Open ${JAVA_HOME}/jre/lib/security/java.security file. Locate the list of cryptographic providers and confirm the following entries in the provider list:

com.ibm.crypto.plus.provider.IBMJSSEProvider2
com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
com.ibm.crypto.plus.provider.IBMJCEPlus
com.ibm.crypto.plus.provider.IBMJCE

If the entries are not set as shown in the ${JAVA_HOME}/jre/lib/security/java.security file, this is a finding.


Method (II) Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty. Requires RedHat Enterprise Linux as the Host Operating System.

1. Run the following command on the RedHat Enterprise Linux. Verify FIPS mode is enabled.
# fips-mode-setup --check
If FIPS mode is not enabled, this is a finding.

2. Review the ${server.config.dir}/jvm.options file. Verify "semeru.fips" property is set to true.
Dsemeru.fips=true
If the property is not set as shown in the ${server.config.dir}/jvm.options file, this is a finding.

3. Confirm NSS packages are installed by running "# dnf install nss" in a terminal.

# dnf install nss
Updating Subscription Management repositories.
Last metadata expiration check: 0:56:30 ago on Wed 13 Sep 2023 07:29:35 AM PDT.
Package nss-3.79.0-11.el8_7.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

If the command does not return output stating NSS is installed, this is a finding.

4. Confirm NSS Database has the keystore imported by running "# certutil -L -d /etc/pki/nssdb" in a terminal.

# certutil -L -d /etc/pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
default CTu,Cu,Cu

If the command does not return the results as shown, this is a finding.

5. Review the ${server.config.dir}/server.xml and confirm the following entries:

name = NSS-FIPS
library = /usr/lib64/libsoftokn3.so
slot = 3
showInfo = true

If the entries are not set as shown in the ${server.config.dir}/server.xml file, this is a finding.

6. Review the ${server.config.dir}/server.xml file with the following steps:

6.1 Locate <ssl> configuration that is specifying the default SSL configuration for Liberty.
6.2 Locate the "keyStoreRef" attribute in the <ssl> configuration and find the referenced <keyStore> configuration.
6.3 Verify the "provider" attribute is set to either "SunPKCS11-NSS-FIPS" or "PKCS11-NSS-FIPS" in the <keyStore> configuration.
6.4 Verify the "type" attribute is set to "PKCS11".
6.5 Verify the "fileBased" attribute is set to "false".
6.6 Find the "location" attribute for the configuration file of NSS keystore database (In the example below, it is "/tmp/pkcs11cfg.cfg").
6.7 Verify the file is in a location that is accessible to Liberty.

Snippet of server.xml:
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLSv1.2" />
<keyStore id="defaultKeyStore" password="{xor}Lz4sLCgwLTsINis3" location="/tmp/pkcs11cfg.cfg" type="PKCS11" fileBased="false" provider="SunPKCS11-NSS-FIPS" />

If the entries are not set as shown in the ${server.config.dir}/server.xml file, this is a finding.
Fix Text (F-53728r1067570_fix)
There are two ways to meet this requirement. Only one method is required.

If IBM JDK 8 is installed and configured to run with WebSphere Liberty, proceed with method (I).

If IBM Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty, proceed with method (II). Currently IBM Semeru supports FIPS on RedHat Enterprise Linux.

Method (I) IBM JDK 8 is configured to run with WebSphere Liberty:

1. Edit/Create the ${server.config.dir}/jvm.options file.
Edit/Add the following two properties:
Dcom.ibm.jsse2.usefipsprovider=true
Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS

2. Edit ${JAVA_HOME}/jre/lib/security/java.security file and locate the list of cryptographic providers. Edit/add the following four providers:

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.crypto.plus.provider.IBMJCEPlus

Method (II) Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty. Requires RedHat Enterprise Linux as the Host Operating System.

1. Log in as root or super user.

2. Enable FIPS on the RedHat Enterprise Linux.
$ fips-mode-setup --enable
$ fips-mode-setup --check

3. Update/create the ${server.config.dir}/jvm.options.
Edit/Add the following property:
Dsemeru.fips=true

4. Install NSS packages. Run "$ dnf install nss".

5. Import keystores to NSS Database by using "pk12util" command. Replace "changeit" for -W option to the desired password.

$ pk12util -i resources/security/key.p12 -W changeit -d /etc/pki/nssdb
pk12util: PKCS12 IMPORT SUCCESSFUL

6. Mark the imported certificates as a trusted certificate authority (CA).

$ certutil -M -n default -t "CT,CT,CT" -d /etc/pki/nssdb

7. List the contents of the NSS Database to confirm the alias name and the Trust Attributes.

$ certutil -L -d /etc/pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
default CTu,Cu,Cu

8. Create a config file (pkcs11cfg.cfg) with the contents below. It will be used by ${server.config.dir}/server.xml.

name = NSS-FIPS
library = /usr/lib64/libsoftokn3.so
slot = 3
showInfo = true

9. Update the ${server.config.dir}/server.xml file to use the configuration file in its SSL configuration.

<ssl id="defaultSSLConfig"
keyStoreRef="defaultKeyStore"
sslProtocol="TLSv1.2" />
<keyStore id="defaultKeyStore" password="password used in -W parameter earlier here"
location="${server.config.dir}/pkcs11cfg.cfg" type="PKCS11"
fileBased="false" provider="SunPKCS11-NSS-FIPS"/>

9.1 Find the <keyStore/> configuration referenced in the ssl configuration as "keyStoreRef".
9.2 Set "provider" attribute to either "SunPKCS11-NSS-FIPS" or "PKCS11-NSS-FIPS".
9.3 Set the "type" attribute to "PKCS11"
9.4 Set the "fileBased" attribute to "false"
9.5 Set the "location" attribute to point to the NSS keystore configuration created in step 8 (pkcs11.cfg.cfg).
9.6 Verify the file is in a location that is accessible to Liberty.