FIPS Support
The Windchill RV&S server's SSL implementation can be configured to conform to the FIPS 140-2 standard. Windchill RV&S uses the bc-fips-1.0.1.jar (a module from Bouncy Castle ) for FIPS 140-2 compliance. The BC FIPS jar has been designed and implemented to meet FIPS 140-2, Level 1 requirements.
The FIPS 140-2 configuration is supported only for the following connections:
• Windchill RV&S client -Windchill RV&S server
• Windchill RV&S server-Windchill RV&S server
• Web browser-Windchill RV&S server
• Windchill RV&S Agent-Windchill RV&S server
• Windchill RV&S API (Java or C)-Windchill RV&S server
If you have not created a server certificate, follow the instructions provided in the Windchill RV&S documentation to create the certificate, have it signed, and import it into the Windchill RV&S server PKCS12 keystore:
<Integrity Server installdir>/data/tls/certificate.p12
For more information on creating a server certificate, see
Creating Signed Server Certificates.
Perform the following steps to configure Windchill RV&S for FIPS:
1. Configure the Database server on SSL and obtain the public key certificate for the Database server. Import this certificate into the <IntegrityServerInstalldir>/data/tls/certificate.p12 keystore as a trusted certificate.
2. Configure additional parameters for the mks.dynamicPool.config property in the <IntegrityServerInstallDir>/config/properties/is.properties as follows:
mks.dynamicPool.config=url\=jdbc\:sqlserver\://<hostname>\:<port>;databaseName\=<dbname>;
selectMethod\=cursor;encrypt=true;fips=true;trustStoreType=PKCS12;fipsProvider=BCFIPS;
trustServerCertificate=false;hostNameInCertificate=<hostnameInCert>;trustStorePassword=<password>;
trustStore=<IntegrityServerInstallDir>/data/tls/certificate.p12,driver\=mks.frame.sql.jdbc.mssql.Driver,initialCapacity\=5,maxCapacity\=100,testTable\=VersionIdentity
3. Configure the Windchill RV&S server to use BC FIPS provider for SSL by adding the following property to the <IntegrityServerInstallDir>/config/properties/is.properties:
mksis.secure.provider=bcfips
4. Restart the Windchill RV&S server for the changes to take effect.
5. Modify the following lax files of standalone DB utilities such that the BC FIPS Provider is installed by these utilities:
◦ <IntegrityServerInstallDir>/bin/isutil.lax
◦ <IntegrityServerInstallDir>/bin/PatchServer.lax
◦ <IntegrityServerInstallDir>/bin/collectSupportPackage.lax
6. Ensure that the property security.overridePropertiesFile is set to true in the <JRE_INSTALL_DIR>/lib/security/java.security file.
7. Note the highest number in the property security.provider.N where N is the property number. For example, consider NN as this number.
8. Create a new text file. In this case assume the new text file is JavaSecurityFips.txt and add the following entry to the file:
security.provider.M=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider where M is NN+1.
9. Edit each of the aforementioned lax files as follows:
a. Add the path of the bc-fips-1.0.1.jar to the property lax.class.path. The path is ..\server\mks\lib\bc-fips-1.0.1.jar, which is relative to the location of the lax file.
b. Add a new argument -Djava.security.properties to the lax.nl.java.option additional property. Set its value to the location of the JavaSecurityFips file as follows:
lax.nl.java.option.additional=-Djava.security.properties=<location of JavaSecurityFips.txt>
10. Delete the jar server/mks/lib/bcprov-jdk15on-1.60.
|
In FIPS configuration, it is required to use the jar file bc-fips-1.0.1.jar. Due to the way class loaders work on some platforms, there is a jar conflict between these two jars. Hence for FIPS mode, delete the bcprov-jdk15on-1.60 jar to ensure that only the FIPS compliant jar is used.
|
Deleting the bc-fips-1.0.1.jar after a roll back
The bc-fips-1.0.1.jar is not deleted automatically from the server/server/mks/lib directory after the CPS is rolled back using the PatchServer utility. Hence, you must delete this jar file manually after the roll back operation. Additionally, you must roll back all manual configurations that were done for FIPS support.