Rational DOORS Web Access uses the IBMJSSE2 provider as the Java™ Secure Socket Extension (JSSE) provider. IBMJSSE2 does not need FIPS 140-2 approval because it delegates encryption and signature functions to a Java Cryptography Extension (JCE) provider. Rational DOORS Web Access uses the IBMJCEFIPS provider to encrypt data. IBMJCEFIPS is approved for FIPS 140-2.
C:\Program Files\IBM\Rational\DOORS Web Access\version\win32\jre\lib\security
security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.10=org.apache.harmony.security.provider.PolicyProvider
security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGOE
C:\Program Files\IBM\Rational\DOORS Web Access\version
Near
the bottom of the file, before the cd %CATALINA_HOME%\bin entry, add the
set JAVA_OPTS entry for the com.ibm.jsse2.usefipsprovider
parameter:set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.usefipsprovider=true
cd %CATALINA_HOME%\bin
call ".\startup.bat"
JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.usefipsprovider=true"
export JAVA_OPTS
C:\Program Files\IBM\Rational\DOORS Web Access\version\server\conf
sslProtocol="TLS"
This setting uses the strongest TLS version during
communication between the server and a specific client.ciphers="SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
For
a list of supported cipher suites, see "IBM JSSE
FIPS Cipher Suites" in the Related
information.Configure the browser to send at the least the minimum TLS version that the Apache Tomcat server accepts. Microsoft Internet Explorer might not have TLS enabled. To enable TLS, open Internet Explorer and click Advanced tab, select Use TLS version, where version is the minimum client version that the server accepts.
. On theIf you use providers that are approved by FIPS 140-2, ensure that the certificates and keystores include supported algorithms. For a list of supported key and signature algorithms, see "The Java FIPS-approved providers, IBMJSSEFIPS and IBMJCEFIPS."