IBM WebSphere Liberty Server STIG Version Comparison

There are 1 differences between versions v2 r1 (Oct. 24, 2024) (the "left" version) and v2 r3 (Jan. 5, 2026) (the "right" version).

Check IBMW-LS-000520 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.

Check Content

There are two ways to meet this requirement. Only one method is required. If IBM JDK 8 is installed and configured to run with WebSphere Liberty, proceed with method (I). If IBM Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty, proceed with method (II). Currently IBM Semeru supports FIPS on RedHat Enterprise Linux. Method (I) IBM JDK 8 is configured to run with WebSphere Liberty: 1. Review the ${server.config.dir}/jvm.options file. Verify FIPS is in use. use If by checking the -Dcom.ibm.jsse2.usefipsprovider=true following lines: Dcom.ibm.jsse2.usefipsprovider=true Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS If the property properties is are not set as shown in the ${server.config.dir}/jvm.options file, this is a finding. Review the finding. 2. Open ${JAVA_HOME}/jre/lib/security/java.security file. Locate If the ${JAVA_HOME}/jre/lib/security/java.security file does not contain the following settings, this is a finding. ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl Locate the list of cryptographic providers and replace confirm the following entries in the provider list: com.ibm.jsse2.IBMJSSEProvider2 com.ibm.crypto.plus.provider.IBMJCEPlusFIPS com.ibm.crypto.provider.IBMJCE com.ibm.crypto.plus.provider.IBMJCEPlus If the entries are not set as shown in the ${JAVA_HOME}/jre/lib/security/java.security file, this is a finding. Method (II) Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty. Requires RedHat Enterprise Linux as the Host Operating System. 1. Run the following command on the RedHat Enterprise Linux. Verify FIPS mode is enabled. # fips-mode-setup --check If FIPS mode is not enabled, this is a finding. 2. Review the ${server.config.dir}/jvm.options file. Verify "semeru.fips" property is set to true. Dsemeru.fips=true If the property is not set as shown in the ${server.config.dir}/jvm.options file, this is a finding. 3. Confirm NSS packages are installed by running "# dnf install nss" in a terminal. # dnf install nss Updating Subscription Management repositories. Last metadata expiration check: 0:56:30 ago on Wed 13 Sep 2023 07:29:35 AM PDT. Package nss-3.79.0-11.el8_7.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! If the command does not return output stating NSS is installed, this is a finding. 4. Confirm NSS Database has the keystore imported by running "# certutil -L -d /etc/pki/nssdb" in a terminal. # certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI default CTu,Cu,Cu If the command does not return the results as shown, this is a finding. 5. Review the ${server.config.dir}/server.xml and confirm the following entries: name = NSS-FIPS library = /usr/lib64/libsoftokn3.so slot = 3 showInfo = true If the entries are not set as shown in the ${server.config.dir}/server.xml file, this is a finding. 6. Review the ${server.config.dir}/server.xml file with the following steps: 6.1 Locate <ssl> configuration that is specifying the default SSL configuration for Liberty. 6.2 Locate the "keyStoreRef" attribute in the <ssl> configuration and find the referenced <keyStore> configuration. 6.3 Verify the "provider" attribute is set to either "SunPKCS11-NSS-FIPS" or "PKCS11-NSS-FIPS" in the <keyStore> configuration. 6.4 Verify the "type" attribute is set to "PKCS11". 6.5 Verify the "fileBased" attribute is set to "false". 6.6 Find the "location" attribute for the configuration file of NSS keystore database (In the example below, it with is "/tmp/pkcs11cfg.cfg"). 6.7 Verify the following list file is in a location accessible to Liberty. Snippet of server.xml: <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLSv1.2" /> <keyStore id="defaultKeyStore" password="{xor}Lz4sLCgwLTsINis3" location="/tmp/pkcs11cfg.cfg" type="PKCS11" fileBased="false" provider="SunPKCS11-NSS-FIPS" /> If the following order: security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.2=com.ibm.jsse2.IBMJSSEProvider2 security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.security.sasl.IBMSASL security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider security.provider.9=org.apache.harmony.security.provider.PolicyProvider security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO entries are not set as shown in the ${server.config.dir}/server.xml file, this is a finding.

Discussion

Application servers must use and meet requirements of the DoD DOD Enterprise PKI infrastructure for application authentication. Encryption is only as good as the encryption modules used. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD DOD data may be compromised due to weak algorithms. The use of TLS provides confidentiality of data in transit between the application server and client. TLS client. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. Satisfies: SRG-APP-000179-AS-000129, SRG-APP-000224-AS-000152, SRG-APP-000416-AS-000140, SRG-APP-000439-AS-000155, SRG-APP-000442-AS-000259, SRG-APP-000514-AS-000136

Fix

There are two ways to meet this requirement. Only one method is required. If IBM JDK 8 is installed and configured to run with WebSphere Liberty, proceed with method (I). If IBM Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty, proceed with method (II). Currently IBM Semeru supports FIPS on RedHat Enterprise Linux. Method (I) IBM JDK 8 is configured to run with WebSphere Liberty: 1. Edit/create the ${server.config.dir}/jvm.options file. Edit/add the following two properties: Dcom.ibm.jsse2.usefipsprovider=true Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS 2. Edit the ${server.config.dir}/jvm.options file. Add or modify the -Dcom.ibm.jsse2.usefipsprovider=true property to enable the JSSE2 provider to run in FIPS 140-2 mode. Edit ${JAVA_HOME}/jre/lib/security/java.security file and locate to register additional cryptographic package provides. Update these two lines: #ssl.SocketFactory.provider= #ssl.ServerSocketFactory.provider= to ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl Locate the list of cryptographic providers providers. Edit/add that are located after the line # List of providers and their preference orders and replace it with the following list: security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.2=com.ibm.jsse2.IBMJSSEProvider2 security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.security.sasl.IBMSASL security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider security.provider.9=org.apache.harmony.security.provider.PolicyProvider security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO four providers: security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.crypto.plus.provider.IBMJCEPlus Method (II) Semeru Runtimes version 11 and above is installed and configured with WebSphere Liberty. Requires RedHat Enterprise Linux as the Host Operating System. 1. Log in as root or super user. 2. Enable FIPS on the RedHat Enterprise Linux. $ fips-mode-setup --enable $ fips-mode-setup --check 3. Update/create the ${server.config.dir}/jvm.options. Edit/add the following property: Dsemeru.fips=true 4. Install NSS packages. Run "$ dnf install nss". 5. Import keystores to NSS Database by using "pk12util" command. Replace "changeit" for -W option to the desired password. $ pk12util -i resources/security/key.p12 -W changeit -d /etc/pki/nssdb pk12util: PKCS12 IMPORT SUCCESSFUL 6. Mark the imported certificates as a trusted certificate authority (CA). $ certutil -M -n default -t "CT,CT,CT" -d /etc/pki/nssdb 7. List the contents of the NSS Database to confirm the alias name and the Trust Attributes. $ certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI default CTu,Cu,Cu 8. Create a config file (pkcs11cfg.cfg) with the contents below. It will be used by ${server.config.dir}/server.xml. name = NSS-FIPS library = /usr/lib64/libsoftokn3.so slot = 3 showInfo = true 9. Update the ${server.config.dir}/server.xml file to use the configuration file in its SSL configuration. <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLSv1.2" /> <keyStore id="defaultKeyStore" password="password used in -W parameter earlier here" location="${server.config.dir}/pkcs11cfg.cfg" type="PKCS11" fileBased="false" provider="SunPKCS11-NSS-FIPS"/> 9.1 Find the <keyStore/> configuration referenced in the ssl configuration as "keyStoreRef". 9.2 Set "provider" attribute to either "SunPKCS11-NSS-FIPS" or "PKCS11-NSS-FIPS". 9.3 Set the "type" attribute to "PKCS11". 9.4 Set the "fileBased" attribute to "false". 9.5 Set the "location" attribute to point to the NSS keystore configuration created in step 8 (pkcs11.cfg.cfg). 9.6 Verify the file is in a location accessible to Liberty.