1. Administering Security for Oracle WebLogic Server
  2. Configuring SSL
  3. Enabling FIPS Mode

36 Enabling FIPS Mode

Learn how to enable FIPS 140-2 mode in Oracle WebLogic Server.

FIPS Overview

The Federal Information Processing Standards (FIPS) 140-2 is a standard that describes U.S. Federal government requirements for sensitive but unclassified use.

You can enable a FIPS compliant (FIPS 140-2) implementation of WebLogic Server using the Jipher JCE and SunJSSE providers.

For supported versions of FIPS, see Supported FIPS Standards and Cipher Suites.

Using Jipher JCE and SunJSSE Providers

The combination of the Jipher JCE provider and the SunJSSE provider creates a FIPS-compliant implementation of WebLogic Server. Ensure Jipher JCE and SunJSSE are registered in first and second position, respectively, in the list of security providers.

Enabling FIPS Mode with Jipher JCE and SunJSSE Providers

Create a FIPS-compliant implementation of WebLogic Server with a combination of the Jipher JCE provider and the SunJSSE provider.

You can enable FIPS 140-2 mode by either creating your own java.security file and specifying Java options from the command line or by editing the installed JDK java.security file.

Enabling FIPS Mode From Java Options with Jipher

You can enable FIPS 140-2 mode with the Jipher JCE and SunJSSE providers using Java security files and specifying Java options on the command line.

  1. Create your own java.security file. You can use the one that comes with the installed JDK as a guide.
  2. Add the Jipher JCE provider as the first Java security provider listed in your java.security properties file. Move the rest of the providers down one position:
    security.provider.1=com.oracle.jipher.provider.JipherJCE
security.provider.2=SunJSSE
security.provider.3=SUN
  3. Add keystore.type=pkcs12 in your java.security properties file to block non-PKCS12 type keystores. If the keystore.type=jks system property already exists in the file, delete it.
  4. Set -Djava.security.properties and -Dweblogic.security.fips140strictkeystores=true on the WebLogic Server start command line to override the default configuration in the java.security file and prevent WebLogic Server from using any non-PKCS12 type keystores, respectively. For -Djava.security.properties, specify a full file path to your custom java.security file.
    set JAVA_OPTIONS="-Djava.security.properties=C:\Users\user\java.security -Dweblogic.security.fips140strictkeystores=true"

    Note:

    Use a single equal sign (=) to specify a filename if you want the java.security properties to be appended to the installed JRE security properties. Use two equal signs (==) if you want to override all the Java security properties, for instance, -Djava.security.properties==C:\Users\user\java.security.
  5. Start WebLogic Server.
    If you are upgrading from a WebLogic Server environment that uses JKS keystores and blocking JKS keystores will cause issues, you can set weblogic.security.fips140strictkeystores=false and keystore.type=jks. However, for strict FIPS compliance, you should convert any JKS keystores instead. See Converting a Non-FIPS Compliant Keystore Using the Jipher JCE Provider for more information and conversion instructions.

Enabling FIPS 140-2 Mode From java.security

You can enable FIPS 140-2 mode from the installed JDK java.security file.

  1. Edit the java.security file to add the Jipher JCE provider as the first Java security provider listed in the java.security properties file. Move the rest of the providers down a position:
    security.provider.1=com.oracle.jipher.provider.JipherJCE
security.provider.2=SunJSSE
security.provider.3=SUN
  2. Add keystore.type=pkcs12 to block non-PKCS12 type keystores. If the keystore.type=jks property already exists in the file, delete it.
  3. Set weblogic.security.fips140strictkeystores=true on the WebLogic Server start command line to prevent WebLogic Server from using any non-PKCS12 type keystores.
    set JAVA_OPTIONS=-Dweblogic.security.fips140strictkeystores=true
  4. Start WebLogic Server.
    If you are upgrading from a WebLogic Server environment that uses JKS keystores and blocking JKS keystores will cause issues, you can set keystore.type=jks in the java.security file and weblogic.security.fips140strictkeystores=false as a system property. However, for strict FIPS compliance, you should convert any JKS keystores instead. See Converting a Non-FIPS Compliant Keystore Using the Jipher JCE Provider for more information and conversion instructions.

Removing Dell JCE and Dell BSAFE JSSE Providers

Prior to WebLogic Server 14.1.2.0.0, FIPS compliance was implemented using the Dell JCE and Dell BSAFE JSSE providers. FIPS mode is now provided by the Jipher JCE and SunJSSE providers. You should remove references to the Dell providers from your WebLogic Server environment.

Note:

You only need to perform these steps if you are upgrading from WebLogic Server 14.1.1.0.0 or earlier and had previously modified your environment to be FIPS compliant.
  1. Remove the following JAR files from the class path:
    • MW_HOME/jlib/jcmFIPS.jar
    • MW_HOME/jlib/cryptoj.jar
    • WL_HOME/server/lib/sslj.jar

    Confirm they are removed from the PRE_CLASSPATH environment variable as well.

  2. Update the java.security file to remove the Dell JCE provider and the Dell BSAFE JSSE provider from the list of security providers and re-order the remaining providers.

To enable FIPS mode, see Enabling FIPS Mode with Jipher JCE and SunJSSE Providers.

Creating FIPS 140-2 Compliant Keystores

JKS or PKCS12 keystores created with the keytool utility and using the SunJSSE provider (the default) may not be fully FIPS compliant. To ensure that your keystores are FIPS 140-2 compliant, you can convert the keystores that you created with the SunJSSE provider by using the keytool command with the Jipher JCE provider supplied with the WebLogic Server distribution.

Although you can create a keystore with SunJSSE using FIPS-approved algorithms, if a FIPS-validated crypto implementation is not used, then it is not officially FIPS-compliant.

Also, some environments, such as Java Cloud Service configured with the Oracle Identity Cloud Integrator provider, use the default JKS keystore with CA certificates, cacerts. In these environments, you must convert the JKS keystore to a FIPS compliant PKCS12 keystore using the Jipher JCE provider.

To ensure that only PKCS12 type keystores are allowed, you can set the following system property when starting WebLogic Server: weblogic.security.fips140strictkeystores=true and add keystore.type=pkcs12 to the java.security file. If you are upgrading from a WebLogic Server environment that uses JKS, ensure that you have converted those legacy keystores to PKCS12 before, making these changes.

The following sections provide procedures for completing these steps to ensure your keystores are FIPS compliant:

Converting a Non-FIPS Compliant Keystore Using the Jipher JCE Provider

Using the WebLogic Server distribution classpath, you can convert a non-compliant keystore using the keytool –importkeystore command with the Jipher JCE provider.

To convert a non-compliant keystore using the Jipher JCE provider:

keytool -importkeystore -srckeystore srckeystore          
–srcstoretype srcstoretype         
-srcprovidername providername –destkeystore destkeystore
-deststoretype PKCS12 -destprovidername JipherJCE
-providerclass com.oracle.jipher.provider.JipherJCE
-providerpath $CLASSPATH

In this command, provide values for the following parameters:

  • -srckeystore – Name of the source keystore
  • -srcstoretype – Type of source keystore, for example PKCS12
  • -srcprovidername – Name of the source keystore provider. Set to JipherJCE if srcstoretype is PKCS12
  • -destkeystore - Name of the destination keystore
  • -deststoretype – Type of destination keystore. Set to PKCS12 for the Jipher JCE provider
  • -destprovidername – Name of the destination keystore provider. Set to JipherJCE for the Jipher JCE provider
  • -providerclass – Name of the provider class. Set to com.oracle.jipher.provider.JipherJCE
  • -providerpath - Classpath for the provider

Converting the Default JKS Keystore for FIPS Compliance

FIPS 140-2 requires keystores to be in PKCS12 format using PBES2 protection; JKS keystores and PKCS12 keystores created with keytool using the Sun JSSE provider (the default) are not supported. If you are using the default JDK cacerts keystore, such as in a Java Cloud Service environment using the Oracle Identity Cloud Integrator provider, you need to complete the following steps to ensure FIPS compliance:

This example illustrates the steps required to convert the keystore and update the Java system properties.
  1. Load the JKS keystore with the default provider and save it as a PKCS12 keystore with the Jipher JCE provider.
    keytool -importkeystore -v
      -srckeystore $JAVA_HOME/jre/lib/security/cacerts  
      -srcstoretype JKS
      -destkeystore cacerts.p12 
      -deststoretype PKCS12
      -destprovidername JipherJCE 
      -providerclass com.oracle.jipher.provider.JipherJCE 
      -providerpath $CLASSPATH
  2. Set the Java system properties used by the default SSL context when booting WebLogic Server. You can do this by setting the following Java options in the WebLogic Server start script as described in Specifying Java Options for a WebLogic Server Instance in Administering Server Startup and Shutdown for Oracle WebLogic Server.
    For example:
    Set JAVA_OPTIONS=”-Djavax.net.ssl.trustStore=/u01/jdk/jre/lib/security/cacerts.p12 -Djavax.net.ssl.trustStoreType=PKCS12”

Important Considerations When Using Web Services

When using web services in FIPS 140-2 mode, there are important considerations to keep in mind.

For example:

SHA-1 Secure Hash Algorithm Not Supported

SHA-1 Secure Hash Algorithm is not supported in FIPS 140-2 mode. Therefore the following WS-SP <sp:AlgorithmSuite> values are not supported in FIPS 140-2 mode:

  • Basic256

  • Basic192

  • Basic128

  • TripleDes

  • Basic256Rsa15

  • Basic192Rsa15

  • Basic128Rsa15

  • TripleDesRsa15

As described in Using the SHA-256 Secure Hash Algorithm in Securing WebLogic Web Services for Oracle WebLogic Server, the WebLogic Server web service security policies support both the SHA-1 and much stronger SHA-2 (SHA-256) secure hash algorithms for hashing digital signatures. Specifically, Using the SHA-256 Policies describes which policies use the SHA-1 secure hash algorithm and their SHA-2 equivalents.

FIPS 140-2 mode requires an Extended Algorithm Suite when digital signatures are used. See Using the Extended Algorithm Suite (EAS) in Securing WebLogic Web Services for Oracle WebLogic Server.

If you enable FIPS 140-2 mode, change the <sp:AlgorithmSuite> element in the Security policy to one of the following supported <sp:AlgorithmSuite> values as described in Using the SHA-256 Secure Hash Algorithm:

  • Basic256Sha256

  • Basic192Sha256

  • Basic128Sha256

  • Basic256Exn256

  • Basic192Exn256

  • Basic128Exn256

  • TripleDesSha256

  • TripleDesExn256

  • Basic256Sha256Rsa15

  • Basic192Sha256Rsa15

  • Basic128Sha256Rsa15

  • Basic256Exn256Rsa15

  • Basic192Exn256Rsa15

  • Basic128Exn256Rsa15

  • TripleDesSha256Rsa15

  • TripleDesExn256Rsa15

For example, to edit an existing Basic256 Algorithm Suite to an EAS Algorithm Suite, then change the policy from

<sp:AlgorithmSuite>
        <wsp:Policy>
             <sp:Basic256/>
        </wsp:Policy>
</sp:AlgorithmSuite>

to

<sp:AlgorithmSuite>
         <wsp:Policy>
             <orasp:Basic256Exn256 xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"/>
         </wsp:Policy>
</sp:AlgorithmSuite>

X509PKIPathv1 token Not Supported

The X509PKIPathv1 token is not supported for FIPS 140-2 mode in this release of WebLogic Server. If you use the X509PKIPathv1 token in a custom policy, change the policy to use the PKCS7 token instead.

Specifically, the following two policy assertions are not supported in FIPS 140-2 mode in this release of WebLogic Server:

  • <sp:WssX509PkiPathV1Token10/>

  • <sp:WssX509PkiPathV1Token11/>

If you use these two policy assertions, change them to the following two assertions instead:

  • <sp:WssX509Pkcs7Token10/>

  • <sp:WssX509Pkcs7Token11/>

For example, if the policy has the following assertion in the custom policy:

<wsp:Policy>
   <sp:X509Token sp:IncludeToken=". . .">
         <wsp:Policy>
               <sp:WssX509PkiPathV1Token10/>
         </wsp:Policy>
   </sp:X509Token>
</wsp:Policy>

replace it with the following policy assertion:

<wsp:Policy>
   <sp:X509Token sp:IncludeToken=". . .">
         <wsp:Policy>
               <sp:WssX509Pkcs7Token10/>
         </wsp:Policy>
   </sp:X509Token>
</wsp:Policy>

Or, if the policy has the following assertion in the custom policy:

<wsp:Policy>
   <sp:X509Token sp:IncludeToken=". . .">
         <wsp:Policy>
              <sp:RequireThumbprintReference/>
              <sp:WssX509PkiPathV1Token11/>
         </wsp:Policy>
   </sp:X509Token>
</wsp:Policy>

replace it with the following assertion:

<wsp:Policy>
   <sp:X509Token sp:IncludeToken=". . .">
         <wsp:Policy>
               <sp:RequireThumbprintReference/>
               <sp:WssX509Pkcs7Token11/>
         </wsp:Policy>
   </sp:X509Token>
</wsp:Policy>