SSL/TLS and FIPS support

1. keytool – a command line tool used to configure and modify the certificate database, generate certificate requests, and so on. See “Managing keys and certificates on EAServer” for more information.

2. set-certificate – a command line script used to map certificates to users. See “Set-certificate” for more information.

3. Two implementations for handling SSL/TLS protocol and related ciphersuites:

   • JSSE – JDK1.4 includes support for JSSE (Java Secure Socket Extension), allowing you to use existing applications with little modification.

   • Certicom SSL-J – includes a Java implementation of the SSL/TLS protocol that supports more ciphersuites than JSSE and is certified against FIPS140-2.

     Set the ORB option com.sybase.ejb.useJSSE to choose between JSSE and Certicom implementations on the client side. Certicom is the default if the variable is not set.

     By default, the TLS version 1 protocol is enabled on the server and client.

Enabling FIPS using the Certicom Java libraries

FIPS mode requires Certicom Java 1.4 libraries to be installed and running.

When FIPS mode is enabled, any SSL listener not using a FIPS-supported security profile is considered invalid, and does not start. See “Security characteristics” for a list.

1. On the server – from the Web Management Console, select FIPS Mode Enabled for the server on which you are enabling FIPS. See “JSSE configuration” for instructions.

   If you set the “-fips false” option, the server is started using the JSSE library.

   With FIPS enabled, you can use only certain algorithms (security characteristics) for quality of protection (QOP). See “Security characteristics” for a list.

2. On the client – set the com.sybase.ejb.fips connection property to specify FIPS usage. Additional client-side properties added to support FIPS include:

   • com.sybase.ejb.keystore

   • com.sybase.ejb.truststore

   • com.sybase.ejb.keystoreType

   • com.sybase.ejb.truststoreType

   • com.sybase.ejb.keystorePassword

   • com.sybase.ejb.truststorePassword

   • com.sybase.ejb.qop

   • com.sybase.ejb.useJSSE

   • com.sybase.ejb.certificateLabel

   • com.sybase.ejb.pin

     com.sybase.ejb.pin is used to support backward compatibility. When this property is set and keystorePassword and truststorePassword are not specified, the pin property is used.

   With FIPS enabled, typical client code used to access an EJB on the server could look like:

   Properties props = new Properties();
   props.put(Context.INITIAL_CONTEXT_FACTORY, “com.sybase.ejb.InitialContextFactory”);
   props.put(Context.PROVIDER_URL, “iiops://” + “localhost” + “:” + port1);
   props.put(Context.SECURITY_PRINCIPAL, “admin@system”);
   props.put(Context.SECURITY_CREDENTIALS, “sybase1”);
   props.put(“com.sybase.ejb.qop”, “intl”);
   Context ctx = new InitialContext(props);
   Object obj = ctx.lookup(“ejb”);
   

• Permits TLS protocol only by the SSL/TLS runtime engine.

• Permits the use of cipher suites and security characteristics listed in Table 6-1.

• Accepts X.509 certificates signed using a SHA1WithRsa algorithm. Certificates signed with any other algorithm are not accepted and generate an error.

• Other cryptographic functionality that normally employ a non-FIPS approved algorithm now fail. For example, a PKCS #12 certificate containing a private key shrouded (signed) with a pbeWithSHA1And40bitRc4 algorithm fails to import, since RC4 is not a FIPS 140-2-approved algorithm. The private key and public keys must be shrouded using pbeWithSHA1And3KeyTripleDescbc.

For FIPS certification:

• When EAServer runs with JDK 1.4, it is FIPS certified.

• When EAServer runs with JDK 1.5, it is not FIPS certified.

---

Copyright © 2006. Sybase Inc. All rights reserved.

View this document as PDF