IBM BPM, V8.0.1, All platforms > Authoring services in Integration Designer > Services and service-related functions > Access external services with adapters > Configure and using adapters > IBM WebSphere Adapters > Email > Plan for adapter implementation > Security

Configure the module for federal information processing standard 140

The Federal Information Processing Standard 140 (FIPS) is a United States government standard for cryptographic features like encryption, decryption, hashing (message digests), Secure Sockets Layer, Transport Layer Security, Internet Protocol security, Secure Shell, signatures, key exchange, and key or certificate generation used in software products and modules. For users working with the United States government who must conform to the FIPS standard, the adapter can be configured to run in FIPS mode.

Configure the module to run in FIPS mode restricts the adapter to working with modules whose cryptographic features comply with FIPS approved methods and providers. From an adapter perspective, running in FIPS mode restricts the adapter to using the Transport Layer Security (TLS) security protocol based on Secure Sockets Layer (SSL).

Restriction: WebSphere Adapter for Email cannot connect to Microsoft Exchange Server 2003 when FIPS (SSL 3.1 and TLS 1.0) is configured for inbound communication. The adapter generates exceptions during startup. Currently there are no known workaround to configure WebSphere Adapter for Email for use with Microsoft Exchange Server 2003 in the FIPS mode. Version 7.5.0.3 of the adapter was tested with SurgeMail 3.8 for FIPS.

To run the adapter in FIPS mode, you must instruct the adapter to use the IBM Javaâ„¢ Secure Socket Extension (IBMJSSE2) provider package. The IBMJSSE2 provider is the preregistered Java Secure Socket Extension provider in the java.security file in IBM SDK, version 5.0. IBMJSSE2 uses FIPS-approved packages.

When in FIPS 140-2 mode, IBM WebSphere Adapter for Email uses the FIPS 140-2 approved cryptographic provider(s); IBMJCEFIPS (certificate 376) and IBMJSSEFIPS (certificate 409). The certificates are listed in the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2011.htm

Complete the following steps to run the adapter in FIPS mode.


Procedure

  1. In the IBMJSSE2 provider, set the com.ibm.jsse2JSSEFIPS property to True.
  2. Set the following security properties so the IBMJSSE2 provider can handle all JSSE requests.

    1. Set the ssl.SocketFactory.provider property to com.ibm.jsse2SSLSocketFactoryImpl.
    2. Set the ssl.ServerSocketFactory.provider property to com.ibm.jsse2SSLServerSocketFactoryImpl.

  3. In the java.security properties file, add the IBMJCEFIPS provider com.ibm.crypto.fips.provider.IBMJCEFIPS to the provider list above the IBMJCE provider. Follow the security.provider.n=providername format where n denotes the order of the provider. The provider with a value of 1 is considered before the provider with a value of 2. Do not remove the IBMJCE provider.

  4. From the IBM BPM or WebSphere Enterprise Service Bus administrative console, set the system properties which are listed under the Java virtual machine (JVM) properties. Follow the -D propertyname= propertyvalue format.
  5. Set security properties in the java.security file (in the IBM BPM or WebSphere Enterprise Service Bus Java virtual machine/lib/security directory).

Security