Configuring Common Secure Interoperability Version 2 (CSIV2) - PCI Compliance

TL;DR

To enable CSIv2 for inbound and outbound launch the wsadmin tool with -lang jython and issue the following command:

AdminTask.configureCSIOutbound('[-transportLayer 'SSL-required']')
AdminTask.configureCSIInbound('[-transportLayer 'SSL-required' ]')
AdminConfig.save()

Using the console:

Set the inbound and outbound transports in the administrative console. Make sure that administrative security is enabled.

• WebSphere Application Server Version 7.0: Click Security > Global Security > RMI/IIOP Security > CSIv2 inbound [outbound[ communications. Change the transport type under the CSIv2 Transport Layer to SSL-Required.

Transport values:

TCP/IP
SSL-required
SSL-supported

CSIv2 stands for the Common Secure Interoperability Version 2 (CSIV2) and can be found in the inbound and outbound communication settings.

FIPS Compliance-Part III. enableFips using wsadmin and jython jacl

TL;DR

To enable FIPS140-2, launch the wsadmin tool with -lang jython and issue the following command:

AdminTask.enableFips("[-enableFips true -fipsLevel FIPS140-2]")

or use Jacl:

$AdminTask enableFips {-enableFips true -fipsLevel transition }

Result:

fipsLevel values:

FIPS140-2

transition

SP800-131

Details:

Or you can save even more time by scripting this. I wrote the following script to do the job for me (my actual script is longer as now it supports different fipsLevel values).

Example jython script:

import sys, java
def enableFIPS(fipsLevel):
  AdminTask.enableFips("[-enableFips true -fipsLevel FIPS140-2)
  AdminConfig.save()
def disableFIPS():
  AdminTask.enableFips("[-enableFips false)
  AdminConfig.save()
if sys.argv[0].lower()=="enable":
  print 'Enabling the FIPS140-2'
  enableFIPS("FIPS140-2")
elif sys.argv[0].lower()=="disable"
  disableFIPS()

FIPS Compliance-Part II. IBMJCEFIPS not found for IBMSecureRandom

TL;DR

Add the following lines to the java.security ([java_homedir]/jre/lib/security/java.security) file:

security.provider.1=com.ibm.securerandom.provider.IBMSecureRandom
security.provider.2=com.ibm.crypto.provider.IBMJCE

Explanation of the issue:

After enabling the FIPS compliance you might encounter the following errors in the log file once you try to restart the Application server:

Log details:

com.ibm.websphere.ssl.JSSEHelper.getSSLContext 704
com.ibm.ws.security.orbssl.WSSSLServerSocketFactoryImpl.createSSLServerSocket 459
com.ibm.ws.orbimpl.transport.WSTransport.createServerSocket 1439
com.ibm.ws.orbimpl.transport.WSTransport createServerSocket P=312105:O=0:CT ORBX0390E: Cannot create listener thread.
Exception=[ org.omg.CORBA.INTERNAL: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_SERVER_SOCKET,
Exception=com.ibm.websphere.ssl.SSLException:
java.lang.RuntimeException: Provider IBMJCEFIPS not found for IBMSecureRandom
vmcid: 0x49421000 minor code: 77 completed: No - received while attempting to open server socket on port 1072 ].
com.ibm.ws.orbimpl.transport.WSTransport.startListening 805
com.ibm.ws.orbimpl.transport.WSTransport.createListener 724

The easiest way to fix it is by adding the missing IBM SecureRandom provider into the list before the IBM JCE provider inside the java.security ([java_homedir]/jre/lib/security/java.security):

security.provider.1=com.ibm.securerandom.provider.IBMSecureRandom
security.provider.2=com.ibm.crypto.provider.IBMJCE

FIPS Compliance-Part I. How to enable the FIPS

How to Enable the FIPS in WebSphere Application Server?

Login to the web console (http[s]://[hostname]:port/ibm/console) and navigate to:

1. Security > SSL certificate and key management.
2. Go to Manage FIPS
3. Select the check box to Use the United States Federal Information Processing Standard (FIPS 140-2) algorithms
4. Click Apply.
5. Save the configuration changes.

Next, set the environment variable to restrict the IBMJSSE2 provider to FIPS-compliant algorithms:

1. Servers > Application servers, and choose your application server
2. In the 'Configuration' tab, select the Server Infrastructure field
3. Click on the Java and Process Management > Process Definition
4. In the Additional Properties field, click Java Virtual Machine
5. Inside the Generic JVM Arguments field add the value: -Dcom.ibm.jsse2.usefipsprovider=true
6. Or, add the -Dcom.ibm.jsse2.usefipsprovider=true property to the jvm.options file

Finding the WebSphere Admin Console Port

TL;DR

locations of the files with all the ports including the ibm/console ports:

$WAS_HOME/profiles/[profileName]/config/cells/[cellName]/virtualhosts.xml

$WAS_HOME/profiles/[profileName]/config/cells/[cellName]/nodes/[dmgrName]/serverindex.xml

serverindex.xml

After the default installation of the WAS (Websphere Application Server) you can find the console located under the following URLs:

http://[hostname]:9060/ibm/console

or the SSL (secure connection) under the following URL:

https://[hostname]:9043/ibm/console

These ports are defined inside the virtualhosts.xml and serverindex.xml files that can be found in the following locations:

$WAS_HOME/profiles/[profileName]/config/cells/virtualhosts.xml
$WAS_HOME/profiles/[profileName]/config/cells/[cellName]/nodes/[dmgrName]/serverindex.xml