The WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-250339	SRG-APP-000179-AS-000129	IBMW-LS-000520	SV-250339r1067571_rule	2025-02-11	2

Description
Application servers must use and meet requirements of the DOD Enterprise PKI infrastructure for application authentication. Encryption is only as good as the encryption modules used. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised due to weak algorithms. The use of TLS provides confidentiality of data in transit between the application server and client. TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. Satisfies: SRG-APP-000179-AS-000129, SRG-APP-000224-AS-000152, SRG-APP-000416-AS-000140, SRG-APP-000439-AS-000155, SRG-APP-000442-AS-000259, SRG-APP-000514-AS-000136

Description

Application servers must use and meet requirements of the DOD Enterprise PKI infrastructure for application authentication. Encryption is only as good as the encryption modules used. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised due to weak algorithms. The use of TLS provides confidentiality of data in transit between the application server and client. TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. Satisfies: SRG-APP-000179-AS-000129, SRG-APP-000224-AS-000152, SRG-APP-000416-AS-000140, SRG-APP-000439-AS-000155, SRG-APP-000442-AS-000259, SRG-APP-000514-AS-000136

ℹ️ Check
There are two ways to meet this requirement. Only one method is required. If IBM JDK 8 is installed and configured to run with WebSphere Liberty, proceed with method (I). If IBM Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty, proceed with method (II). Currently IBM Semeru supports FIPS on RedHat Enterprise Linux. Method (I) IBM JDK 8 is configured to run with WebSphere Liberty: 1. Review the ${server.config.dir}/jvm.options file. Verify FIPS is in use by checking the following lines: Dcom.ibm.jsse2.usefipsprovider=true Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS If the properties are not set as shown in the ${server.config.dir}/jvm.options file, this is a finding. 2. Open ${JAVA_HOME}/jre/lib/security/java.security file. Locate the list of cryptographic providers and confirm the following entries in the provider list: com.ibm.crypto.plus.provider.IBMJSSEProvider2 com.ibm.crypto.plus.provider.IBMJCEPlusFIPS com.ibm.crypto.plus.provider.IBMJCEPlus com.ibm.crypto.plus.provider.IBMJCE If the entries are not set as shown in the ${JAVA_HOME}/jre/lib/security/java.security file, this is a finding. Method (II) Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty. Requires RedHat Enterprise Linux as the Host Operating System. 1. Run the following command on the RedHat Enterprise Linux. Verify FIPS mode is enabled. # fips-mode-setup --check If FIPS mode is not enabled, this is a finding. 2. Review the ${server.config.dir}/jvm.options file. Verify "semeru.fips" property is set to true. Dsemeru.fips=true If the property is not set as shown in the ${server.config.dir}/jvm.options file, this is a finding. 3. Confirm NSS packages are installed by running "# dnf install nss" in a terminal. # dnf install nss Updating Subscription Management repositories. Last metadata expiration check: 0:56:30 ago on Wed 13 Sep 2023 07:29:35 AM PDT. Package nss-3.79.0-11.el8_7.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! If the command does not return output stating NSS is installed, this is a finding. 4. Confirm NSS Database has the keystore imported by running "# certutil -L -d /etc/pki/nssdb" in a terminal. # certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI default CTu,Cu,Cu If the command does not return the results as shown, this is a finding. 5. Review the ${server.config.dir}/server.xml and confirm the following entries: name = NSS-FIPS library = /usr/lib64/libsoftokn3.so slot = 3 showInfo = true If the entries are not set as shown in the ${server.config.dir}/server.xml file, this is a finding. 6. Review the ${server.config.dir}/server.xml file with the following steps: 6.1 Locate <ssl> configuration that is specifying the default SSL configuration for Liberty. 6.2 Locate the "keyStoreRef" attribute in the <ssl> configuration and find the referenced <keyStore> configuration. 6.3 Verify the "provider" attribute is set to either "SunPKCS11-NSS-FIPS" or "PKCS11-NSS-FIPS" in the <keyStore> configuration. 6.4 Verify the "type" attribute is set to "PKCS11". 6.5 Verify the "fileBased" attribute is set to "false". 6.6 Find the "location" attribute for the configuration file of NSS keystore database (In the example below, it is "/tmp/pkcs11cfg.cfg"). 6.7 Verify the file is in a location that is accessible to Liberty. Snippet of server.xml: <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLSv1.2" /> <keyStore id="defaultKeyStore" password="{xor}Lz4sLCgwLTsINis3" location="/tmp/pkcs11cfg.cfg" type="PKCS11" fileBased="false" provider="SunPKCS11-NSS-FIPS" /> If the entries are not set as shown in the ${server.config.dir}/server.xml file, this is a finding.

ℹ️ Check

There are two ways to meet this requirement. Only one method is required. If IBM JDK 8 is installed and configured to run with WebSphere Liberty, proceed with method (I). If IBM Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty, proceed with method (II). Currently IBM Semeru supports FIPS on RedHat Enterprise Linux. Method (I) IBM JDK 8 is configured to run with WebSphere Liberty: 1. Review the ${server.config.dir}/jvm.options file. Verify FIPS is in use by checking the following lines: Dcom.ibm.jsse2.usefipsprovider=true Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS If the properties are not set as shown in the ${server.config.dir}/jvm.options file, this is a finding. 2. Open ${JAVA_HOME}/jre/lib/security/java.security file. Locate the list of cryptographic providers and confirm the following entries in the provider list: com.ibm.crypto.plus.provider.IBMJSSEProvider2 com.ibm.crypto.plus.provider.IBMJCEPlusFIPS com.ibm.crypto.plus.provider.IBMJCEPlus com.ibm.crypto.plus.provider.IBMJCE If the entries are not set as shown in the ${JAVA_HOME}/jre/lib/security/java.security file, this is a finding. Method (II) Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty. Requires RedHat Enterprise Linux as the Host Operating System. 1. Run the following command on the RedHat Enterprise Linux. Verify FIPS mode is enabled. # fips-mode-setup --check If FIPS mode is not enabled, this is a finding. 2. Review the ${server.config.dir}/jvm.options file. Verify "semeru.fips" property is set to true. Dsemeru.fips=true If the property is not set as shown in the ${server.config.dir}/jvm.options file, this is a finding. 3. Confirm NSS packages are installed by running "# dnf install nss" in a terminal. # dnf install nss Updating Subscription Management repositories. Last metadata expiration check: 0:56:30 ago on Wed 13 Sep 2023 07:29:35 AM PDT. Package nss-3.79.0-11.el8_7.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! If the command does not return output stating NSS is installed, this is a finding. 4. Confirm NSS Database has the keystore imported by running "# certutil -L -d /etc/pki/nssdb" in a terminal. # certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI default CTu,Cu,Cu If the command does not return the results as shown, this is a finding. 5. Review the ${server.config.dir}/server.xml and confirm the following entries: name = NSS-FIPS library = /usr/lib64/libsoftokn3.so slot = 3 showInfo = true If the entries are not set as shown in the ${server.config.dir}/server.xml file, this is a finding. 6. Review the ${server.config.dir}/server.xml file with the following steps: 6.1 Locate <ssl> configuration that is specifying the default SSL configuration for Liberty. 6.2 Locate the "keyStoreRef" attribute in the <ssl> configuration and find the referenced <keyStore> configuration. 6.3 Verify the "provider" attribute is set to either "SunPKCS11-NSS-FIPS" or "PKCS11-NSS-FIPS" in the <keyStore> configuration. 6.4 Verify the "type" attribute is set to "PKCS11". 6.5 Verify the "fileBased" attribute is set to "false". 6.6 Find the "location" attribute for the configuration file of NSS keystore database (In the example below, it is "/tmp/pkcs11cfg.cfg"). 6.7 Verify the file is in a location that is accessible to Liberty. Snippet of server.xml: <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLSv1.2" /> <keyStore id="defaultKeyStore" password="{xor}Lz4sLCgwLTsINis3" location="/tmp/pkcs11cfg.cfg" type="PKCS11" fileBased="false" provider="SunPKCS11-NSS-FIPS" /> If the entries are not set as shown in the ${server.config.dir}/server.xml file, this is a finding.

✔️ Fix
There are two ways to meet this requirement. Only one method is required. If IBM JDK 8 is installed and configured to run with WebSphere Liberty, proceed with method (I). If IBM Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty, proceed with method (II). Currently IBM Semeru supports FIPS on RedHat Enterprise Linux. Method (I) IBM JDK 8 is configured to run with WebSphere Liberty: 1. Edit/Create the ${server.config.dir}/jvm.options file. Edit/Add the following two properties: Dcom.ibm.jsse2.usefipsprovider=true Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS 2. Edit ${JAVA_HOME}/jre/lib/security/java.security file and locate the list of cryptographic providers. Edit/add the following four providers: security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.crypto.plus.provider.IBMJCEPlus Method (II) Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty. Requires RedHat Enterprise Linux as the Host Operating System. 1. Log in as root or super user. 2. Enable FIPS on the RedHat Enterprise Linux. $ fips-mode-setup --enable $ fips-mode-setup --check 3. Update/create the ${server.config.dir}/jvm.options. Edit/Add the following property: Dsemeru.fips=true 4. Install NSS packages. Run "$ dnf install nss". 5. Import keystores to NSS Database by using "pk12util" command. Replace "changeit" for -W option to the desired password. $ pk12util -i resources/security/key.p12 -W changeit -d /etc/pki/nssdb pk12util: PKCS12 IMPORT SUCCESSFUL 6. Mark the imported certificates as a trusted certificate authority (CA). $ certutil -M -n default -t "CT,CT,CT" -d /etc/pki/nssdb 7. List the contents of the NSS Database to confirm the alias name and the Trust Attributes. $ certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI default CTu,Cu,Cu 8. Create a config file (pkcs11cfg.cfg) with the contents below. It will be used by ${server.config.dir}/server.xml. name = NSS-FIPS library = /usr/lib64/libsoftokn3.so slot = 3 showInfo = true 9. Update the ${server.config.dir}/server.xml file to use the configuration file in its SSL configuration. <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLSv1.2" /> <keyStore id="defaultKeyStore" password="password used in -W parameter earlier here" location="${server.config.dir}/pkcs11cfg.cfg" type="PKCS11" fileBased="false" provider="SunPKCS11-NSS-FIPS"/> 9.1 Find the <keyStore/> configuration referenced in the ssl configuration as "keyStoreRef". 9.2 Set "provider" attribute to either "SunPKCS11-NSS-FIPS" or "PKCS11-NSS-FIPS". 9.3 Set the "type" attribute to "PKCS11" 9.4 Set the "fileBased" attribute to "false" 9.5 Set the "location" attribute to point to the NSS keystore configuration created in step 8 (pkcs11.cfg.cfg). 9.6 Verify the file is in a location that is accessible to Liberty.

✔️ Fix

There are two ways to meet this requirement. Only one method is required. If IBM JDK 8 is installed and configured to run with WebSphere Liberty, proceed with method (I). If IBM Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty, proceed with method (II). Currently IBM Semeru supports FIPS on RedHat Enterprise Linux. Method (I) IBM JDK 8 is configured to run with WebSphere Liberty: 1. Edit/Create the ${server.config.dir}/jvm.options file. Edit/Add the following two properties: Dcom.ibm.jsse2.usefipsprovider=true Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS 2. Edit ${JAVA_HOME}/jre/lib/security/java.security file and locate the list of cryptographic providers. Edit/add the following four providers: security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.crypto.plus.provider.IBMJCEPlus Method (II) Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty. Requires RedHat Enterprise Linux as the Host Operating System. 1. Log in as root or super user. 2. Enable FIPS on the RedHat Enterprise Linux. $ fips-mode-setup --enable $ fips-mode-setup --check 3. Update/create the ${server.config.dir}/jvm.options. Edit/Add the following property: Dsemeru.fips=true 4. Install NSS packages. Run "$ dnf install nss". 5. Import keystores to NSS Database by using "pk12util" command. Replace "changeit" for -W option to the desired password. $ pk12util -i resources/security/key.p12 -W changeit -d /etc/pki/nssdb pk12util: PKCS12 IMPORT SUCCESSFUL 6. Mark the imported certificates as a trusted certificate authority (CA). $ certutil -M -n default -t "CT,CT,CT" -d /etc/pki/nssdb 7. List the contents of the NSS Database to confirm the alias name and the Trust Attributes. $ certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI default CTu,Cu,Cu 8. Create a config file (pkcs11cfg.cfg) with the contents below. It will be used by ${server.config.dir}/server.xml. name = NSS-FIPS library = /usr/lib64/libsoftokn3.so slot = 3 showInfo = true 9. Update the ${server.config.dir}/server.xml file to use the configuration file in its SSL configuration. <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLSv1.2" /> <keyStore id="defaultKeyStore" password="password used in -W parameter earlier here" location="${server.config.dir}/pkcs11cfg.cfg" type="PKCS11" fileBased="false" provider="SunPKCS11-NSS-FIPS"/> 9.1 Find the <keyStore/> configuration referenced in the ssl configuration as "keyStoreRef". 9.2 Set "provider" attribute to either "SunPKCS11-NSS-FIPS" or "PKCS11-NSS-FIPS". 9.3 Set the "type" attribute to "PKCS11" 9.4 Set the "fileBased" attribute to "false" 9.5 Set the "location" attribute to point to the NSS keystore configuration created in step 8 (pkcs11.cfg.cfg). 9.6 Verify the file is in a location that is accessible to Liberty.