FIPS Support
The PTC RV&S server's SSL implementation can be configured to conform to the FIPS 140-3 standard. PTC RV&S uses the bc-fips-2.1.2.jar (a module from Bouncy Castle ) for FIPS 140-3 compliance. For TLSv1.3 support, PTC RV&S uses the bctls-fips-2.1.22.jar. The BC FIPS jar has been designed and implemented to meet FIPS 140-3, Level 1 requirements. The FIPS 140-3 configuration is supported only for the following connections:
• PTC RV&S client -PTC RV&S server
• PTC RV&S server-PTC RV&S server
• Web browser-PTC RV&S server
• Agent PTC RV&S-PTC RV&S server
• PTC RV&S API (Java or C)-PTC RV&S server
If you have not created a server certificate, follow the instructions provided in the PTC RV&S documentation to create the certificate, have it signed, and import it into the PTC RV&S server PKCS12 keystore:
<ServerInstalldir>/data/tls/certificate.p12
For more information on creating a server certificate, see Creating Signed Server Certificates.
Perform the following steps to configure PTC RV&S for FIPS:
1. Configure the Database server on SSL and obtain the public key certificate for the Database server. Import this certificate into the <ServerInstalldir>/data/tls/certificate.p12 keystore as a trusted certificate.
2. Configure additional parameters for the mks.dynamicPool.config property in the <ServerInstallDir>/config/properties/is.properties as follows:
mks.dynamicPool.config=url\=jdbc\:sqlserver\://<hostname>\:<port>;databaseName\=<dbname>;
selectMethod\=cursor;encrypt=true;fips=true;trustStoreType=PKCS12;fipsProvider=BCFIPS;
trustServerCertificate=false;hostNameInCertificate=<hostnameInCert>;trustStorePassword=<password>;
trustStore=<ServerInstallDir>/data/tls/certificate.p12,driver\=mks.frame.sql.jdbc.mssql.Driver,initialCapacity\=5,maxCapacity\=100,testTable\=VersionIdentity
3. Configure the PTC RV&S server to use BC FIPS provider for SSL by adding the following property to the <ServerInstallDir>/config/properties/is.properties:
mksis.secure.provider=bcfips
4. Restart the PTC RV&S server for the changes to take effect.
5. Ensure that the property security.overridePropertiesFile is set to true in the <JDK_INSTALL_DIR>/lib/security/java.security file.
6. Note the highest number in the property security.provider.N where N is the property number. For example, consider NN as this number.
7. Create a new text file. In this case assume the new text file is JavaSecurityFips.txt and add the following entry to the file:
security.provider.M=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider where M is NN+1.
8. Modify the following lax files of standalone DB utilities such that the BC FIPS Provider is installed by these utilities:
◦ <ServerInstallDir>/bin/isutil.lax
◦ <ServerInstallDir>/bin/PatchServer.lax
◦ <ServerInstallDir>/bin/collectSupportPackage.lax
a. Add the path of the bc-fips-2.1.2.jar, bctls-fips-2.1.22.jar, bcpkix-fips-2.0.10.jar and bcutil-fips-2.0.5.jar to the property lax.class.path. The path is :../server/mks/lib/ bc-fips-2.1.2.jar:../server/mks/lib/ bctls-fips-2.1.22.jar, which is relative to the location of the lax file.
b. Add a new argument -Djava.security.properties to the lax.nl.java.option additional property. Set its value to the location of the JavaSecurityFips file as follows:
lax.nl.java.option.additional=-Djava.security.properties=<location of JavaSecurityFips.txt>
9. Configure the FIPS compliant jars.
1. Take a backup of the following jars from the location /server/mks/lib. Ensure that these jars are completely removed:
▪ bcpkix-jdk18on-1.78.1.jar
▪ bcprov-jdk18on-1.78.1.jar
▪ jar bcutil-jdk18on-1.78.1.jar
2. Download the following jars from PTC Support under the section PTC Requirements Validation & Source Features PTC Software Download - PTC Requirements Validation & Source (Integrity Lifecycle Manager) and copy them to the location /server/mks/lib
▪ bc-fips-2.1.2.jar
▪ bctls-fips-2.1.22.jar
▪ bcutil-fips-2.0.5.jar
▪ bcpkix-fips-2.0.10.jar
10. In the mksservice.conf file, append the mks.java.classpath entries for the bc-fips-2.1.2.jar in the following order:
mks.java.classpath.xx=/<serverinstalldir>/server/mks/lib/bc-fips-2.1.2.jar
Ensure that the numbers xx trailing the mks.java.classpath property are unique and not repeated anywhere in the mksservice.conf file.
After editing the mksservice.conf file, stop and restart the PTC RV&S server.
 |
If the server is configured with SAML, then add the following property: mks.java.additional.XX=-Dopensaml.config.ecdh.defaultKDF=PBKDF2
|