Enabling FIPS Support

Installation and Upgrade > Installation and Configuration Guide > Advanced Configurations > Post Installation Server Security > Enabling FIPS Support

This topic outlines the configurations that are required to ensure compliance with FIPS standard. FIPS configuration is supported for the following connections:

• Secured RMI. For more details, see Secure RMI Server Configuration.

◦ Secured remote JMX. For secured JMX configuration, you are required to have a secured RMI connection. For more details, see Remote JMX Monitoring and Secure RMI Server Configuration.

• Secured LDAP. For more details on enabling secure LDAP, see Entering Your LDAP Settings.

• Secured JDBC. For more information about configuring Oracle JDBC with FIPS, see Configuring Oracle JDBC with FIPS for Windchill

To make your configurations FIPS compliant, you must follow the steps given below:

• Enable your operating system specific FIPS configuration settings.

• Obtain and configure CA-signed FIPS compliance certificates for all the listed and additional system integrations. For detailed steps, see Process for Creating Self-Signed Server Certificate.

Each integration requires a separate FIPS compliance certificate. You are required to import these certificates, along with the Java public certificate, in a same secure FIPS certificate store.

• Add your FIPS provider entry in the JDK security file located at JDK_HOME/conf/security/java.security. FIPS provider must be listed at the top of the list of existing providers. An example of the JDK security file with FIPS provider configuration is:

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
security.provider.3=SUN
security.provider.4=SunRsaSign
security.provider.5=SunEC
security.provider.6=SunJSSE
security.provider.7=SunJCE
security.provider.8=SunJGSS
security.provider.9=SunSASL
security.provider.10=XMLDSig
security.provider.11=SunPCSC
security.provider.12=JdkLDAP
security.provider.13=JdkSASL
security.provider.14=SunPKCS11

• Download specific provider jars to WT_HOME/codebase/WEB-INF/lib folder. An example of provider jars is Bouncy Castle jars listed below.

bc-fips-2.1.2.jar
bcutil-fips-2.1.5.jar
bctls-fips-2.1.22.jar

Windchill FIPS compliance configurations are qualified using Bouncy Castle provider. You can use FIPS compliance provider of your choice.

Was this helpful?